RE: Encryption of Connection String

From: Gang Guo [MSFT] (gangguo@online.microsoft.com)
Date: 12/30/02 

From: gangguo@online.microsoft.com (Gang Guo [MSFT])
Date: Mon, 30 Dec 2002 06:18:08 GMT

If the connection string is for the session state server, please check the
following article.

Q329290 HOW TO: Use the ASP.NET Utility to Encrypt Credentials and Session
State
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q329290

If it is for your application, my advice is to use Windows authentication
to connect to your SQL server, thus you will not need store the user name
and password in any form.

If you need use the standard authentication (that means the UID and PWD are
needed for the connection string), as long as you keep your web server
safe, it doesn't make big difference how you encrypt your connection
string. If you just don't want to store the connection string as clear text
in the config file, you can use some class under
System.Security.Cryptography to encrypt/decrypt it, and store the key in
your code/or some registry.

Remember one thing, no matter how your application encryption/store the
connection string, you must decrypt and restore the UID/PWD to clear text
before you make the connection. If your web server is not physical secured,
someone who are really want to get your connection string just need crack
the uid/pwd at that time and that will defeat all your effort for
protection.

Regards,
Gang Guo
This posting is provided "AS IS" with no warranties, and confers no rights.
Got .Net? http://www.gotdotnet.com

Relevant Pages

  • Re: OLE DB connection string in SharePoint for Sybase ASA
    ... I wen to the Sybase site and found a reference to Connection String ... > where I WANT it to say Database Connections. ... > and up pops a Data Source Properties Window. ... > Server Error: An error occurred while retrieving the list of Databases ...
    (microsoft.public.frontpage.client)
  • Re: DBIx::DBH - Perl extension for simplifying database connectio ns
    ... Only one of the Informix notations has a host name in it, ... that's technically not a host name but a server name - the distinction ... under the illusion that people who use Perl to access a database know ... The connection string is system-specific -- end of sob story. ...
    (perl.dbi.users)
  • Re: help with changing some code from mdb to adp
    ... At the end of this post is an example of an ADO connection string to a SQL ... Server database, and '' to the UNC path/name of your instance of SQL ... Windows, you can't create a new UDL file directly, but you can create a new, ...
    (microsoft.public.access.adp.sqlserver)
  • Re: Use Dpapi with Shared Asp.Net Web Host?
    ... Since the only directory I have access to on the web host server is a given ... > DPAPI is only suitable for encrypting and decrypting stuff on the same ... >> I'd like to use an encrypted database connection string. ... The dpapi should enable me to encrypt the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: problems with my web application
    ... An application error occurred on the server. ... This <customErrors> tag should then have its ... connection string is registered in web.config. ...
    (microsoft.public.dotnet.csharp.general)