• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

Hiding user and password in ASPX (for CDO Message sends)

I have seen examples like the one below on the microsoft web site with regard to sending an email from an aspx page script using CDO Message.  My question though is what is the best practice with regard to hiding the password and not just including it in the aspx script code?  This will be the username and password for the SMTP email server we are using, so it isn't a user on the IIS server, etc.  Any guidance appreciated...

http://support.microsoft.com/kb/555287

using System;
using System.Web.Mail;
namespace SMTPAuthentication
{
 public class SMTPAuthenticationExample
 {
  public static void SendMail()
  {
   string smtpServer = "smtp.domain.com";
   string userName = "johnDoe";
   string password = "pass";
   int cdoBasic = 1; 
   int cdoSendUsingPort = 2; 
   MailMessage msg = new MailMessage();
   if (userName.Length > 0)
   {
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpserver", smtpServer);
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpserverport", 25) ;
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendusing", cdoSendUsingPort) ;
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate", cdoBasic); 
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendusername", userName); 
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendpassword", password); 
   }
   msg.To = "someone@domain.com"; 
   msg.From = "me@domain.com";
   msg.Subject = "Subject";
   msg.Body = "Message";
   SmtpMail.SmtpServer = smtpServer;
   SmtpMail.Send(msg);
  }
 }
}

Open in new window

~bp
0
Bill Prew
Asked:
Bill Prew
  • 3
  • 2
  • 2
  • +2
4 Solutions
 
Randy PooleCommented:
You could store them in a database.  What are your concerns with storing them in the asp page?
0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
without using encryption/decryption, you're going to have to store the login info somewhere, whether it's in the actual aspx page or in the web.config file (this is typically the general practice used by developers).

according to this blog post, you may be able to store the info directly in the registry if you have control over your server and then read it from your app
0
 
Bill PrewAuthor Commented:
You could store them in a database.  What are your concerns with storing them in the asp page?
We were just concerned about the security risk of having credentials in clear text in the asp page.  This is a public webserver so we are concerned about the risk of someone gaining access to the asp page, and this getting the email account credentials for the outgoing SMTP server.

~bp
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
0
 
Randy PooleCommented:
You could also create a dll that your asp page calls that performs this functionality and stores the information in the actual DLL
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Bill, storing an email address and email password like this is pretty common.  If somebody breaks into your server, you have bigger issues to worry about and changing your password for your email account is easy.
0
 
GaryCommented:
I've requested that this question be closed as follows:

Accepted answer: 500 points for Scott Fell (padas)'s comment #a40200773

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
I think both randy and myself both offered more detailed ways to what the OP asked, in the very least I would split the points between randy and myself.  With all due respect, Scott's answer was more along the lines of minimizing time OP's original concerns about security.
0
 
Bill PrewAuthor Commented:
Thanks to feedback and suggestions from all that participated.

~bp
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now