The "&" character breaks passwords that are stored in the web.config

Question

I have an ASP.NET MVC3 C# .NET Application running on IIS 7.5.

We have a Windows NT service account we Impersonate in our code in order to read/write documents to a file share. The user id is compiled in the code and the service account password is stored in the web.config file.

The password contains an ampersand character (i.e.: p&ssword).

This broke the site. When accessing the site we received this error :"Sorry, an error occurred while processing your request".

Here is the code that uses the password:

    var password = ConfigurationManager.AppSettings.Get(Common.SVC_PWD);      bool isSuccess = LogonUser(         @"my_svc_acct",         "my.domain.net",         password,         LOGON32_LOGON_NEW_CREDENTIALS,         LOGON32_PROVIDER_DEFAULT, ref token     ); 

Why would this cause the site to break?

Answer 1

I suspect that you didn't encode the password properly in the web.config file. Remember that web.config is a XML file, so entities must be encoded.

Instead of

my&password  

try

my&password 

You can use sites such as FreeFormatter.com to escape/unescape XML strings.

Answer 2

You will need to put the encoded value in the web.config. It will read it out properly once you pull it but in the config file itself it needs to be encoded.

eg:

Password: your&password (what you expect)

Encoded version: your&password (what should be stored in your web.config)

Your wrapper method that reads out the value should unencode it automatically to your&password.

You will need to do this for all 'special' characters:

< = &lt; > = &gt; " = &quot; ' = &apos; & = &amp;