0

is there a way to set the connection string in the IIS without setting it in the web.config file of the .net application? because i don't want the credentials to be set in the .net code

User7291
  • 1,095
  • 3
  • 29
  • 71
  • You can encrypt it. Or have your application obtain it from a "secret server". Or use environment variables. But I guess more importantly, is there someone who has access to your site's source code that isn't authorized to see the connection string? – mason May 10 '17 at 14:57
  • it is the publish of the source code that is linked to the IIS , but there are many tools to reverse the publish and have the source code so if i encrypt it in the web.config i will have to decrypt it in my code, and if they reverse the publish code they will know how to decrypt the connection string – User7291 May 10 '17 at 15:04
  • 2
    If somebody can "reverse the publish" that you don't trust I think you have far bigger issues on your hands then decrypting your connection strings. – Sean Lange May 10 '17 at 15:10
  • You don't HAVE to put the connection string in your config file. One way or another you will have to encrypt/decrypt it in code, so just access the decrypted string in your data layer class... – IrishChieftain May 10 '17 at 15:16

2 Answers2

1

You can encrypt the connection string

take a look at this : https://msdn.microsoft.com/en-us/library/dx0f3cf2(v=vs.85).aspx

Quote : The following example shows how to encrypt the connectionStrings section of the Web.config file for an application named SampleApplication:

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication"
Iomm1
  • 81
  • 7
  • it is the publish of the source code that is linked to the IIS , but there are many tools to reverse the publish and have the source code so if i encrypt it in the web.config i will have to decrypt it in my code, and if they reverse the publish code they will know how to decrypt the connection string – User7291 May 10 '17 at 15:05
  • I think the above process doesn't require you to do anything in your code, the encrypting/decrypting is handled by the authority in which the app pool is run. See this also - the question has come up before - any answers for you here? http://stackoverflow.com/questions/1706613/encrypting-connection-string-in-web-config – Iomm1 May 10 '17 at 15:21
1

You can put your connection string in applicationHost in this path:

%windir%\system32\inetsrv\config

There's an inheritance chain above the site that you must know about it:

enter image description here

you can see more information about it here.

Majid Parvin
  • 4,499
  • 5
  • 29
  • 47