Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m considering using FormsAuthentication in my web app. Just how secure is it to specify the users in the web.config that are allowed to use the application?
Here is an example of what I am talking about:
<authentication mode="Forms">
<forms loginUrl="TestLogin.aspx" slidingExpiration="true" timeout="30">
<credentials>
<user name="test" password="password"></user>
</credentials>
</forms>
</authentication>
By default, IIS will not serve any file that ends in a
.configextension, so as long as you trust anyone who has access to manage your web server, you should be fine.Think of it this way: most people store database connection information in their web.config files already, so if you have your users defined in a database, it’s just one step away from being compromised anyway.
If you’ve only got a few users to deal with, and their credentials don’t change often, you should be fine using web.config to store your users. It’s probably a good idea to not store your users’ passwords in plain text though. If you’re super paranoid, have a look into encrypting the
authenticationsection of your web.config file: http://www.codeguru.com/csharp/.net/net_asp/miscellaneous/print.php/c13663.