|
-
Mar 14th, 2009, 03:18 PM
#1
Thread Starter
Lively Member
[RESOLVED] [2005] Another Password Encryption question
I have started my first ASP.NET project and I must say, it is a learning experience... so this is a real basic question.
I am using a membership and roles provider for MySql (by J Snyman and adapted for MySql Net connector) and I have it up and working fine, but the password and username are exposed in the Web.config file. The implementation of the membership and roles provider in the web.config with no real code-behind, so where can I put the code to decrypt the password and user name to pass to the membership provider?
Thanks in advance for your help.
Here is my web.config:
Code:
<?xml version="1.0"?>
<configuration>
<configSections>
<sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
<section name="cdbnet.My.MySettings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
</sectionGroup>
</configSections>
<appSettings/>
<connectionStrings>
<clear/>
<add name="SimpleProviderConnectionString" connectionString="server=localhost;User ID=PlainText_MyUserName;database=mydatabase;Password=PlainText_MyPassword;Persist Security Info=True"
providerName="MySql.Data.MySqlClient" />
</connectionStrings>
<system.web>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
Visual Basic options:
Set strict="true" to disallow all data type conversions
where data loss can occur.
Set explicit="true" to force declaration of all variables.
-->
<authorization>
<allow roles="Basic User" />
</authorization>
<compilation debug="true" strict="false" explicit="true" />
<pages>
<namespaces>
<clear />
<add namespace="System" />
<add namespace="System.Collections" />
<add namespace="System.Collections.Specialized" />
<add namespace="System.Configuration" />
<add namespace="System.Text" />
<add namespace="System.Text.RegularExpressions" />
<add namespace="System.Web" />
<add namespace="System.Web.Caching" />
<add namespace="System.Web.SessionState" />
<add namespace="System.Web.Security" />
<add namespace="System.Web.Profile" />
<add namespace="System.Web.UI" />
<add namespace="System.Web.UI.WebControls" />
<add namespace="System.Web.UI.WebControls.WebParts" />
<add namespace="System.Web.UI.HtmlControls" />
</namespaces>
</pages>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Forms" />
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace. -->
<!--<customErrors mode="Off"/>-->
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<!--<error statusCode="403" redirect="NoAccess.htm" />-->
<!--<error statusCode="404" redirect="FileNotFound.htm" />-->
</customErrors>
<!--This is the Security section added-->
<siteMap defaultProvider="siteMapProvider" enabled="true">
<providers>
<clear />
<add name="siteMapProvider"
type="Simple.Providers.MySQL.MysqlSiteMapProvider"
connectionStringName="SimpleProviderConnectionString"
applicationName="cdbnet"
description="MySQL site map provider"
securityTrimmingEnabled="true"/>
</providers>
</siteMap>
<roleManager defaultProvider="roleProvider" enabled="true"
cacheRolesInCookie="false" cookieName=".ASPROLES"
cookieTimeout="7200" cookiePath="/" cookieRequireSSL="false"
cookieSlidingExpiration="true" cookieProtection="All">
<providers>
<clear />
<add name="roleProvider"
type="Simple.Providers.MySQL.MysqlRoleProvider"
connectionStringName="SimpleProviderConnectionString"
applicationName="cdbnet"
description="MySQL role provider"/>
</providers>
</roleManager>
<membership defaultProvider="membershipProvider"
userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="membershipProvider"
type="Simple.Providers.MySQL.MysqlMembershipProvider"
connectionStringName="SimpleProviderConnectionString"
applicationName="cdbnet"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true" passwordFormat="Clear"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
description="MySQL membership provider"/>
</providers>
</membership>
<profile defaultProvider="profileProvider"
automaticSaveEnabled="true">
<providers>
<clear />
<add name="profileProvider"
type="Simple.Providers.MySQL.MysqlProfileProvider"
connectionStringName="SimpleProviderConnectionString"
applicationName="cdbnet"
description="MySQL Profile Provider"/>
</providers>
<properties>
<clear />
</properties>
</profile>
<webParts>
<personalization defaultProvider="personalizationProvider">
<providers>
<clear />
<add name="personalizationProvider" type="Simple.Providers.MySQL.MysqlPersonalizationProvider"
connectionStringName="SimpleProviderConnectionString" applicationName="cdbnet" description="MySQL Personalization Provider"/>
</providers>
</personalization>
</webParts>
</system.web>
<applicationSettings>
<cdbnet.My.MySettings>
<setting name="teststring" serializeAs="String">
<value>this is a tester</value>
</setting>
</cdbnet.My.MySettings>
</applicationSettings>
</configuration>
-
Mar 14th, 2009, 04:39 PM
#2
Re: [2005] Another Password Encryption question
You can encrypt the connection string so that the connection string is 'decoded' when a connection is about to be made to the database and is therefore not visible as plaintext inside the file.
Have a read: http://weblogs.asp.net/owscott/archi...29/421063.aspx
-
Mar 14th, 2009, 07:14 PM
#3
Thread Starter
Lively Member
-
Mar 16th, 2009, 07:59 AM
#4
Re: [RESOLVED] [2005] Another Password Encryption question
No problem, good choice. We encrypt our files too.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|