If I am encrypting the connection string section, anyone who has the web.config can reDecrypt the information.
There is no password key which is known only to me or something similar....
What's the idea here?? Anyone who will have that web.config with VS, will be able to decipher the info...
I dont get the idea...
It means that connection specific information such as database name, username, and password are stored as a clear text in a file. This is definitely a security concern for your Production servers. This is why the connection strings should be encrypted.
Applications use connection strings to identify the server instance and database to connect to and to determine what driver, login, etc. to use to connect to the SQL Server instance. Typically, the connection string will be stored in a configuration file somewhere within the application or web server.
To read the connection string from code, use the ConfigurationSettings class. string connStr = ConfigurationSettings. AppSettings("myConnectionString");
The providerName attribute is used to set the name of the .NET Framework data provider that the DataSource control uses to connect to an underlying data source. If no provider is set, the default is the ADO.NET provider for Microsoft SQL Server.
You wrongly assume that anyone can decrypt the web.config. Once the config file section is encrypted, it can only be decrypted on the same machine (or the machine that has got the same key - this is for web farming).
Usually, it is fairly easy to download the actual web.config remotely (through vulnerabilities). But the malicious user will not have your key and will not be able to decrypt the file (or sections with sensitive data).
The point here is you have got to trust your site hoster, that is the sensitive key will not be distributed.
You can specify the encryption provider, but the default is the RSA provider. There is a key used, but it is 'secret'. So someone would need a privileges to run applications on your server, or unrestricted access to the file system in order to unencrypt your web.config.
This (especially step 2) talks about it:
http://msdn2.microsoft.com/en-us/library/ms998283.aspx
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With