ASP.NET 2005 connection string

[John]

Hello. I've been programming in classic .asp and am looking into moving
towards asp.net 2005 which the modeling layout appears to be different than
what I've been used to. Should I put the connection string to our SQL
Server in the web.config file? I've been wrapping my classic .asp apps with
https to encrypt the connection string and was wondering if I can do the
same for asp.net 2005. Also, I need to be able to have individual SQL
usernames and passwords for the connection string and not a hard coded
generic account for auditing purposes. Is this possible to say create a
login screen to capture the user's SQL login info and then pass these into
the asp.net 2005 connection string which would be stored in the web.config
file?...or should the connection string be stored in a different global file
named something like 'dbconnection.aspx'?

Thanks in advance.

J

 

[Dominick Baier [DevelopMentor]]

web.config is the usual way to store stuff like that in ASP.NET

 

[Joe Kaplan \(MVP - ADSI\)]

Another thing to consider is that it may not be important to encrypt the
connection string in this case. Since the conn string will be built
dynamically for each use based on the credentials they supplied during
login, the only really important info left in the "static" part of the conn
string in web.config would be the server name. Depending on your policies,
that info may or may not really be confidential.

If you do need to encrypt it, there are a bunch of options in .NET 2.0.

Joe K.

 

[John]

So it would be ok to use like session UserName and session Password
variables as part of the dynamic connection string that's in the web.config
file through https method?

Thanks for your reply Joe.

J

 

[Joe Kaplan \(MVP - ADSI\)]

You would need some sort of a persistence mechanism, as you'll need the
user's credentials for every SQL request, but you'll only prompt them for
their credentials once.

Session would possibly work. You might also encrypt it and put it in the
forms auth ticket so that it follows the forms auth around. You'd hate to
have to reprompt the user for the password if your session state expired
while their forms auth was still valid.

Joe K.

 

[John]

Thanks a bunch Joe. I appreciate it.

J

You would need some sort of a persistence mechanism, as you'll need the
user's credentials for every SQL request, but you'll only prompt them for
their credentials once.

Session would possibly work. You might also encrypt it and put it in the
forms auth ticket so that it follows the forms auth around. You'd hate to
have to reprompt the user for the password if your session state expired
while their forms auth was still valid.

Joe K.

So it would be ok to use like session UserName and session Password
variables as part of the dynamic connection string that's in the
web.config file through https method?

Thanks for your reply Joe.

J

Another thing to consider is that it may not be important to encrypt the
connection string in this case. Since the conn string will be built
dynamically for each use based on the credentials they supplied during
login, the only really important info left in the "static" part of the
conn string in web.config would be the server name. Depending on your
policies, that info may or may not really be confidential.

If you do need to encrypt it, there are a bunch of options in .NET 2.0.

Joe K.

"Dominick Baier [DevelopMentor]" <[email protected]>
wrote in message
web.config is the usual way to store stuff like that in ASP.NET

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hello. I've been programming in classic .asp and am looking into
moving towards asp.net 2005 which the modeling layout appears to be
different than what I've been used to. Should I put the connection
string to our SQL Server in the web.config file? I've been wrapping
my classic .asp apps with https to encrypt the connection string and
was wondering if I can do the same for asp.net 2005. Also, I need to
be able to have individual SQL usernames and passwords for the
connection string and not a hard coded generic account for auditing
purposes. Is this possible to say create a login screen to capture
the user's SQL login info and then pass these into the asp.net 2005
connection string which would be stored in the web.config file?...or
should the connection string be stored in a different global file
named something like 'dbconnection.aspx'?

Thanks in advance.

J