Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the best way to store connection string in .NET DLLs?

The application my team is currently developing has a DLL that is used to perform all database access. The application can not use a trusted connection because the database is behind a firewall and the domain server is not. So it appears that the connection string needs to have a DB username and password. The DLL currently has the database connection string hard coded, but I don't want to do this when we launch as the assembly can be disassembled and the username and password would be right there in the open.

One of the requirements is that the password needs to be changed once every few months, so we would need to roll that out to our internal user base.

Is there a way to store the password encrypted in such a way we can easily distribute to the entire user base without storing it in the assembly?

UPDATE: Thanks to everyone who's answered. I'll try to answer some of the questions back to me... The data DLL is used by both ASP.NET WebForms and VB.NET WinForms. I understand that Applications can have their own config files, but I haven't seen anything on config files for DLLs. Unfortunately, I can't get to the Jon Galloway post at work so I can't judge if that will work. From a development standpoint, we don't want to use web services inhouse, but may be providing them to third parties sometime next year. I don't think impersonation will work because we can't authenticate the user through the firewall. As a user (or former user) can be an attacker, we're keeping it from everyone!

like image 669
proudgeekdad Avatar asked Aug 08 '08 16:08

proudgeekdad


People also ask

What is the best way to store the connection string?

The best way to secure the database connection string is to encrypt the value within the configuration file. The application would then load the encrypted value from the config file, decrypt the value, and then use the decrypted value as the connection string to connect to the database.

Is it safe to store connection string in web config?

config based connectionstring as seems is unsafe, because one can read it. But think about it, if a person can read your web. config, means he can edit any file on your server anyways as he probably already hack or gain access to file.

Which file is used to store and configure the database connection string in .NET MVC?

By default, Sitefinity CMS stores the connection string to the database in the DataConfig. config file, located in folder ~/App_Data/Sitefinity/Configuration/. You can move the connection string to the web.

Where does net core store connection string?

ASP.NET Core Connection String is mainly used to connect to the database, which can be stored in the appsetting. json.


1 Answers

I'm not certain, but I believe you can put it in a config file and encrypt the config file.

Update: See Jon Galloway's post here.

like image 100
Adam V Avatar answered Oct 11 '22 01:10

Adam V