Hiding user and password in ASPX (for CDO Message sends)

I have seen examples like the one below on the microsoft web site with regard to sending an email from an aspx page script using CDO Message.  My question though is what is the best practice with regard to hiding the password and not just including it in the aspx script code?  This will be the username and password for the SMTP email server we are using, so it isn't a user on the IIS server, etc.  Any guidance appreciated...

http://support.microsoft.com/kb/555287

using System;
using System.Web.Mail;
namespace SMTPAuthentication
{
 public class SMTPAuthenticationExample
 {
  public static void SendMail()
  {
   string smtpServer = "smtp.domain.com";
   string userName = "johnDoe";
   string password = "pass";
   int cdoBasic = 1; 
   int cdoSendUsingPort = 2; 
   MailMessage msg = new MailMessage();
   if (userName.Length > 0)
   {
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpserver", smtpServer);
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpserverport", 25) ;
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendusing", cdoSendUsingPort) ;
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate", cdoBasic); 
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendusername", userName); 
    msg.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendpassword", password); 
   }
   msg.To = "someone@domain.com"; 
   msg.From = "me@domain.com";
   msg.Subject = "Subject";
   msg.Body = "Message";
   SmtpMail.SmtpServer = smtpServer;
   SmtpMail.Send(msg);
  }
 }
}

Open in new window

~bp
LVL 62
Bill PrewAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Randy PooleCommented:
You could store them in a database.  What are your concerns with storing them in the asp page?
0
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
without using encryption/decryption, you're going to have to store the login info somewhere, whether it's in the actual aspx page or in the web.config file (this is typically the general practice used by developers).

according to this blog post, you may be able to store the info directly in the registry if you have control over your server and then read it from your app
0
Bill PrewAuthor Commented:
You could store them in a database.  What are your concerns with storing them in the asp page?
We were just concerned about the security risk of having credentials in clear text in the asp page.  This is a public webserver so we are concerned about the risk of someone gaining access to the asp page, and this getting the email account credentials for the outgoing SMTP server.

~bp
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
0
Randy PooleCommented:
You could also create a dll that your asp page calls that performs this functionality and stores the information in the actual DLL
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
Bill, storing an email address and email password like this is pretty common.  If somebody breaks into your server, you have bigger issues to worry about and changing your password for your email account is easy.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GaryCommented:
I've requested that this question be closed as follows:

Accepted answer: 500 points for Scott Fell (padas)'s comment #a40200773

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
I think both randy and myself both offered more detailed ways to what the OP asked, in the very least I would split the points between randy and myself.  With all due respect, Scott's answer was more along the lines of minimizing time OP's original concerns about security.
0
Bill PrewAuthor Commented:
Thanks to feedback and suggestions from all that participated.

~bp
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.