About web.config file

[Bob]

The web.config file is a pure XML file. Would people who visits my website
built on ASP.NET 2.0 be able to access my web.config file? i.e. can they do
http://mywebsite/web.config ?

I'm thinking of storing the DSN info in there and I definitely don't want
people to see my connection string.

 

[Mark Rae]

The web.config file is a pure XML file. Would people who visits my
website
built on ASP.NET 2.0 be able to access my web.config file? i.e. can they
do
http://mywebsite/web.config ?

What happened when you tried this for yourself...?

I'm thinking of storing the DSN info in there and I definitely don't want
people to see my connection string.

Why don't you use encryption?

 

[Karl Seguin]

No, the .config file is mapped to ASPX inside IIS, and within asp.net, it's
mapped to the ForbiddenHandler

so it goes

request for .config
iis --> asp.net
asp.net --> forbidden access


I hate to point out the obvious, but why not just try it out?

Karl

 

[Wouter van Vugt]

Hi Bob,

no, you can't request a web.config file. The ASP.NET framework has
attached a page handler to this file which serves a HTTP-Forbidden to
the client.

You can encrypt your config file if you don't want people to be able to
read it.

Grtz, Wouter

Trainer - Info Support
www.dive-in-it.nl

 

[Wouter van Vugt]

Ehr Karl,

that's what I said...

and the .config file is not mapped to ASPX. It is mapped to the ASP.NET
isapi dll which kick starts it all.

Oh well..

 

[Bob]

Excellent. Thanks, guys.

In other words, I can create my own custom .config file (i.e.
myusers.config) and rely on IIS to protect it from prying eyes for me?

 

[Karl Seguin]

yes