Results 1 to 4 of 4

Thread: [RESOLVED] [2005] Another Password Encryption question

  1. #1

    Thread Starter
    Lively Member
    Join Date
    Aug 2007
    Posts
    88

    Resolved [RESOLVED] [2005] Another Password Encryption question

    I have started my first ASP.NET project and I must say, it is a learning experience... so this is a real basic question.

    I am using a membership and roles provider for MySql (by J Snyman and adapted for MySql Net connector) and I have it up and working fine, but the password and username are exposed in the Web.config file. The implementation of the membership and roles provider in the web.config with no real code-behind, so where can I put the code to decrypt the password and user name to pass to the membership provider?

    Thanks in advance for your help.

    Here is my web.config:

    Code:
    <?xml version="1.0"?>
    
    <configuration>
      
        <configSections>
            <sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
                <section name="cdbnet.My.MySettings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
            </sectionGroup>
        </configSections>
        <appSettings/>
    
    
      <connectionStrings>
        <clear/>
        
        <add name="SimpleProviderConnectionString" connectionString="server=localhost;User ID=PlainText_MyUserName;database=mydatabase;Password=PlainText_MyPassword;Persist Security Info=True"
        providerName="MySql.Data.MySqlClient" />
        
      </connectionStrings>
    
      
    
      <system.web>
            <!-- 
                Set compilation debug="true" to insert debugging 
                symbols into the compiled page. Because this 
                affects performance, set this value to true only 
                during development.
    
                Visual Basic options:
                Set strict="true" to disallow all data type conversions 
                where data loss can occur. 
                Set explicit="true" to force declaration of all variables.
            -->
            <authorization>
                  <allow roles="Basic User" />
            </authorization>
            <compilation debug="true" strict="false" explicit="true" />
            <pages>
                <namespaces>
                    <clear />
                    <add namespace="System" />
                    <add namespace="System.Collections" />
                    <add namespace="System.Collections.Specialized" />
                    <add namespace="System.Configuration" />
                    <add namespace="System.Text" />
                    <add namespace="System.Text.RegularExpressions" />
                    <add namespace="System.Web" />
                    <add namespace="System.Web.Caching" />
                    <add namespace="System.Web.SessionState" />
                    <add namespace="System.Web.Security" />
                    <add namespace="System.Web.Profile" />
                    <add namespace="System.Web.UI" />
                    <add namespace="System.Web.UI.WebControls" />
                    <add namespace="System.Web.UI.WebControls.WebParts" />
                    <add namespace="System.Web.UI.HtmlControls" />
                </namespaces>
            </pages>
            <!--
                The <authentication> section enables configuration 
                of the security authentication mode used by 
                ASP.NET to identify an incoming user. 
            -->
            <authentication mode="Forms" />
            <!--
                The <customErrors> section enables configuration 
                of what to do if/when an unhandled error occurs 
                during the execution of a request. Specifically, 
                it enables developers to configure html error pages 
                to be displayed in place of a error stack trace. -->
    
               <!--<customErrors mode="Off"/>-->
    
        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
                <!--<error statusCode="403" redirect="NoAccess.htm" />-->
                <!--<error statusCode="404" redirect="FileNotFound.htm" />-->
            </customErrors>
           
          
          <!--This is the Security section added-->
          <siteMap defaultProvider="siteMapProvider" enabled="true">
    
            <providers>
              <clear />
              <add name="siteMapProvider"
                 type="Simple.Providers.MySQL.MysqlSiteMapProvider"
                 connectionStringName="SimpleProviderConnectionString"
                 applicationName="cdbnet"
                 description="MySQL site map provider"
                 securityTrimmingEnabled="true"/>
            </providers>
          </siteMap>
          <roleManager defaultProvider="roleProvider" enabled="true"
              cacheRolesInCookie="false" cookieName=".ASPROLES"
              cookieTimeout="7200" cookiePath="/" cookieRequireSSL="false"
              cookieSlidingExpiration="true" cookieProtection="All">
            <providers>
    
              <clear />
              <add name="roleProvider"
                  type="Simple.Providers.MySQL.MysqlRoleProvider"
                  connectionStringName="SimpleProviderConnectionString"
                  applicationName="cdbnet"
                  description="MySQL role provider"/>
            </providers>
          </roleManager>
          <membership defaultProvider="membershipProvider"
              userIsOnlineTimeWindow="15">
            <providers>
              <clear />
    
              <add name="membershipProvider"
                  type="Simple.Providers.MySQL.MysqlMembershipProvider"
                  connectionStringName="SimpleProviderConnectionString"
                  applicationName="cdbnet"
                  enablePasswordRetrieval="true"
                  enablePasswordReset="true"
                  requiresQuestionAndAnswer="true"
                  requiresUniqueEmail="true" passwordFormat="Clear"
                  minRequiredPasswordLength="6"
                  minRequiredNonalphanumericCharacters="0"
                  description="MySQL membership provider"/>
            </providers>
          </membership>
          <profile defaultProvider="profileProvider"
              automaticSaveEnabled="true">
            <providers>
              <clear />
              <add name="profileProvider"
                  type="Simple.Providers.MySQL.MysqlProfileProvider"
                  connectionStringName="SimpleProviderConnectionString"
                  applicationName="cdbnet"
                  description="MySQL Profile Provider"/>
    
            </providers>
            <properties>
              <clear />
              
            </properties>
    
          </profile>
          
          <webParts>
            <personalization defaultProvider="personalizationProvider">
              
              <providers>
                <clear />
                <add name="personalizationProvider" type="Simple.Providers.MySQL.MysqlPersonalizationProvider"
                     connectionStringName="SimpleProviderConnectionString" applicationName="cdbnet" description="MySQL Personalization Provider"/>
                  </providers>
            
            </personalization>
          </webParts>
    
        </system.web>
      <applicationSettings>
        <cdbnet.My.MySettings>
          <setting name="teststring" serializeAs="String">
            <value>this is a tester</value>
          </setting>
        </cdbnet.My.MySettings>
      </applicationSettings>
    </configuration>

  2. #2
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: [2005] Another Password Encryption question

    You can encrypt the connection string so that the connection string is 'decoded' when a connection is about to be made to the database and is therefore not visible as plaintext inside the file.

    Have a read: http://weblogs.asp.net/owscott/archi...29/421063.aspx

  3. #3

    Thread Starter
    Lively Member
    Join Date
    Aug 2007
    Posts
    88

    Thumbs up Re: [2005] Another Password Encryption question

    Wow! This has sent me on a path that hurts.

    Anyway, after reading the suggested articles(s) and about 20 more... I found this bit of information which really wraps up the loose ends.

    http://blogs.msdn.com/mosharaf/archi...n.aspx#1657603

    Thanks for your help.

  4. #4
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: [RESOLVED] [2005] Another Password Encryption question

    No problem, good choice. We encrypt our files too.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width