VB.NET 2013: Application Settings Vs. app.config

I am maintaining several applications.  Some of them use app.config files, the others use Application settings.  All of the applications use one or the other.  

It is my understanding that the app.config files are meant to be read-only from the application, where the Application settings can be modified from the application.  And that the app.config file has the benefit of being modifiable without needing a recompile.

-  Is my understanding correct?
-  Are there situations where using both would be good form?  For example, connection strings in the app.config (in case your database moves) and application settings that the user might change in the Application Settings?

Thanks in advance!

- Michael
mjs082969Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

it_saigeDeveloperCommented:
Basically App.config is your development environment's version of XYZ.exe.config.  When you compile your project, the IDE takes the app.config and turns it into xyz.exe.config.  If xyz.exe reads any setting using the System.Configuration classes, they will be read from xyz.exe.config.  The setting tab (Application settings), ultimately, has no relationship with either of these files (although, application-defined settings are stored in the xyz.exe.config).  Instead, the settings tab modifies a file called Settings.settings within your development environment (found in Show All Files --> My Project --> Settings.settings).  This file contains application-defined and user-defined settings that you can modify within your IDE.  The difference being that application-defined settings are read-only and user-defined settings are read-write enabled.  The configuration file generated from this is actually stored in the local profile of the user running your application (%USERPROFILE%\Local Settings\<Company Name>\<Assembly Name>\<version>\user.config).  These are known as My.Settings.

You are right in the thought that since they are xml files that the modification of the values contained within do not require a recompile (unless you do something the requires that you change the type associated with the value).

Check this blog for more answers:  http://ryanfarley.com/blog/archive/2004/07/13/879.aspx
MSDN on My.Settings:  http://msdn.microsoft.com/en-us/library/ms379611(VS.80).aspx

-saige-
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mjs082969Author Commented:
Would it also be correct to say that to properly secure connection strings (which include the SQL server user name and password) that the connection string settings should be put into the app.config so that they may be encrypted?  I was under the impression that including them in the Application Settings was secure, because they would be in the compiled executable.  But the MSIL decompiler could be used to access this information....
0
it_saigeDeveloperCommented:
Choosing to place the connection string in the app.config does not make it any more or less secure than putting it into the registry, defining it as a constant or embedding it as a resource.

Choosing to place the connection string in the app.config is more about ease of accessibility from a development standpoint.  Regardless of the location you choose, I would definately encrypt the connection string.  Especially since the app.config is a xml file and everything is in clear text, e.g.  Sample app.config -
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
	<connectionStrings>
		<add name="CodeSampleCS.Properties.Settings.NORTHWNDConnectionString"
		    connectionString="TestToGetStringFrom App.config File"
		    providerName="System.Data.SqlClient" />
	</connectionStrings>
</configuration>

Open in new window


In short, no matter where you define sensitive information, encryption is usually recommended.

-saige-
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.