Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing connection strings in machine.config vs storing them in web.config

For a dedicated server, is it better to store the connection string in web.config or machine.config? what's the advantages and disadvantages of each approach?

Thanks

Edit: I'm concerned about security here, so, the question is about which approach is more secure.

like image 301
Waleed Eissa Avatar asked Jul 26 '09 10:07

Waleed Eissa


People also ask

Is it safe to store connection string in Web config?

Connection string encryptionIn case you cannot use Integrated Security/Windows Authentication, you may have a username and password in clear text inside the web. config file. For obvious reasons, you really don't want that. If a hacker gets access to your web server, he/she now has access to your database as well.

What is the best way to store the connection string?

Connection strings can be stored as key/value pairs in the connectionStrings section of the configuration element of an application configuration file.

What is the difference between Web config and machine config?

config ? The web. config files specify configuration settings for a particular web application, and are located in the application's root directory; the machine. config file specifies configuration settings for all of the websites on the web server, and is located in $WINDOWSDIR$\Microsoft.Net\Framework\Version\Config.

Where do I put connection string in Web config?

After opening the web. config file in application, add sample db connection in connectionStrings section like this: <connectionStrings>


2 Answers

I would always go with web.config on the grounds that that is where everyone would expect it to be. There is no point in giving the person that has to maintain the web site any more difficulty by storing connection strings in an unusual place.

ADDITIONAL

Based on the additional information that the OP is interested in the security aspect, rather than and general reason I've added the following.

I still wouldn't store connection strings in the machine.config. If you do that any .NET application running on the machine has access to your connection strings.

web.config is a protected file. IIS won't serve it up by default unless you do something to misconfigure it.

like image 114
Colin Mackay Avatar answered Oct 01 '22 19:10

Colin Mackay


I prefer to keep my connection strings in the machine.config.

My connection strings are different between the DEV, QA and PROD environments and if I kept them in the web.config I couldn’t safely blow away my target directory and copy up the new code. Or I would have to remember to deploy everything but the web.config, this creates issues when other parts of the web.config change.

It depends on your situation, but when it gets a little complicated the risk of having the wrong connection string in the wrong environment is just too great. We have actually had situations where testing was hitting the wrong databases because the connection string was inadvertently moved. Machine.config is used for machine specific items - thus the name. It never gets moved from machine to machine.

So in my machine.config I have multiple connection strings like blogConnString, forumConnString, projectxConnString, etc. I don’t consider this mixing setting for different sites, I consider it keeping machine level setting in the maching.config.

You were worried about security, I think once they are on the box they are equally secured. But if the connection string is in the web.config it usually ends up in source control, developer’s desks, in backup files, in install plans, deployment sets, etc. This makes the web.config way less secure to me.

Finally, another approach is to have it in a totally different config file (say WebEnvironment.confg), that is then referenced in your web.config. This file would sit in a directory that is not physically under your web site, but is virtually under your site. More details are HERE.

like image 41
JBrooks Avatar answered Oct 01 '22 20:10

JBrooks