About web.config file

  • Thread starter Thread starter Bob
  • Start date Start date
B

Bob

The web.config file is a pure XML file. Would people who visits my website
built on ASP.NET 2.0 be able to access my web.config file? i.e. can they do
http://mywebsite/web.config ?

I'm thinking of storing the DSN info in there and I definitely don't want
people to see my connection string.
 
The web.config file is a pure XML file. Would people who visits my
website
built on ASP.NET 2.0 be able to access my web.config file? i.e. can they
do
http://mywebsite/web.config ?
Click to expand...

What happened when you tried this for yourself...?
I'm thinking of storing the DSN info in there and I definitely don't want
people to see my connection string.
Click to expand...

Why don't you use encryption?
 
No, the .config file is mapped to ASPX inside IIS, and within asp.net, it's
mapped to the ForbiddenHandler

so it goes

request for .config
iis --> asp.net
asp.net --> forbidden access


I hate to point out the obvious, but why not just try it out? :)

Karl
 
Hi Bob,

no, you can't request a web.config file. The ASP.NET framework has
attached a page handler to this file which serves a HTTP-Forbidden to
the client.

You can encrypt your config file if you don't want people to be able to
read it.

Grtz, Wouter

Trainer - Info Support
www.dive-in-it.nl
 
Ehr Karl,

that's what I said...

and the .config file is not mapped to ASPX. It is mapped to the ASP.NET
isapi dll which kick starts it all.

Oh well..
 
Excellent. Thanks, guys.

In other words, I can create my own custom .config file (i.e.
myusers.config) and rely on IIS to protect it from prying eyes for me?
 
Back
Top