lapucca
asked on
Where is the best place to put id and passwords?
Hi, I'm using VS2010.
I created a web application and I am wondering where is the best place to store the userid and password. Currently I have it in Web.config in the App setting section. Well, should I just put it in my C# code? I mean when I deploy to web server then it's in dll form? Shouldn't that be better than web.config? If that server is hacked then they might get to the web.config and read the password. Thank you for your input.
I created a web application and I am wondering where is the best place to store the userid and password. Currently I have it in Web.config in the App setting section. Well, should I just put it in my C# code? I mean when I deploy to web server then it's in dll form? Shouldn't that be better than web.config? If that server is hacked then they might get to the web.config and read the password. Thank you for your input.
ASKER
Currently the web.config is just under the www folder of the Windows IIS web server. I don't know what do you mean but web server is the owner. Web server is a machine and not an account that I'm aware of. and how to set 700 permission? I only know if I right click a folder or file then I can click on the Security tab and set different user account to different access permission level. Appreciate it if you can elaborate. Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks but looking at that didn't really explain about permission 700 .... Should I just leave it in the C# code instead? Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm using IIS on Windows server. Thank you. I will look into encryption.
or instead consider:
"Set your config files in a directory outside of public webspace , the webserver should be the owner of this directory and it should have permissions set to 700. All files it contains should be 644. This way no one can even read the file contents apart from webserver user or root.
This is a common approach, but there is a lot more to the subject as security is a very vast topic, but is better than 90% of the setups out there."