I store the connection string in the Web Config, but it is encrypted using DPAPI. There is an online tutorial how to do this and it is very slick.
NorthWest Data Solutions, Anchorage, Alaska John Bergman <[EMAIL PROTECTED]> wrote: ... unless you add some sort of impersonation code. You could ask the user to sign in, and use that username/password to impersonate the user on the thread you are running inside the application -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Lascu Sent: Thursday, December 09, 2004 10:43 AM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] How and where to store securely a database connection string Right, but this would be easy to guess, plus it can never be changed by the DBA. -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] Behalf Of Bob Provencher Sent: Thursday, December 09, 2004 11:37 AM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] How and where to store securely a database connection string No, it's the user the process is running under. For example machinename\ASPNET. -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Lascu Sent: Thursday, December 09, 2004 11:29 AM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] How and where to store securely a database connection string > The account accessing the database will be the one the process is running under... Doesn't that mean you need to have database accounts for every user? Adding new users to the system will include the creation of a new account in the database which I guess transfers responsibility over to the SysAdmin/DBA. For huge systems, with multiple databases and tens to hundreds of users, this adds an extra level of complexity, when it comes to administration. For small systems with less users I guess it's a viable and interesting solution. Thanks for the idea, Eddie -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] Behalf Of Bob Provencher Sent: Thursday, December 09, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] How and where to store securely a database connection string One idea is to use windows authentication. Specify Integrated Security=SSPI. The account accessing the database will be the one the process is running under... You don't have to encode the username and password into the connect string. -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Lascu Sent: Thursday, December 09, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: [ADVANCED-DOTNET] How and where to store securely a database connection string I would like to hear about different options to securely store a database connection string. In the past we used to hard code it but that meant that we will never be able to change it unless we were ready to recompile the hole application/system (or at least parts of it). With .NET the app.config file is an easy place to put it. It's convenient because you can change it with a simple text editor (Notepad). You don't need to recompile your application, a restart would be enough (ASP.NET doesn't even need that). However, it's not really secure because everyone can have access to it. Is there a way to encrypt the app.config or at least parts of it? I guess I could encrypt the connection string and store it in the app.config. I could include the decryption algorithm in my app but then I would need a different application to be able to decrypt the string, change it and encrypt it back into the app.config. I am really curious about what are different options here. All the best, Eddie =================================== This list is hosted by DevelopMentorR http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor. http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor. http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor. http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor(r) http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com =================================== This list is hosted by DevelopMentor� http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com Christopher M. Howell NorthWest Data Solutions Anchorage, Alaska --------------------------------- Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. Learn more. =================================== This list is hosted by DevelopMentor� http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com
