none
ConnectionString stored in web.config when using Entity Framework?! RRS feed

  • Question

  • I'm trying out Entity Framework for the first time.  I have an ASP.NET application referencing a class library project wherein I am creating the .edmx.  When I first create it (database first), it stores the ConnectionString in the app.config of the class library.  I was shocked to learn that I needed to move that ConnectionString to the web.config of my web application instead!

    Our current model is such that an internet user can access our web application, and then web application references DLLs of class libraries that have credentials compiled within them.  It id from there that a hole through the firewall exists to get to the internal database.  If a hacker can get to our web server, currently there isn't a lot he/she can do.  BUT if app credentials are stored as clear text in the web.config file, then that's a HUGE security flaw!

    Seriously, is this how Microsoft recommends storing application credentials in Entity Framework?  Surely not and I am missing something.  Please tell me what I'm not understanding correctly.

    Thank you.

    Friday, December 12, 2014 10:07 PM

Answers

  • Hi. You are right leaving the config file unencrypted in a production environment would be a bad idea. The link here and here cover how to encrypt config sections.
    Friday, December 12, 2014 11:52 PM
  • As JayChase suggests, employing encryption is a great solution.

    Another option is to configure the connection to use integrated security.

    With this configuration there is no need to leave user credentials in the config file.

    Saturday, December 13, 2014 12:11 AM

All replies

  • Hi. You are right leaving the config file unencrypted in a production environment would be a bad idea. The link here and here cover how to encrypt config sections.
    Friday, December 12, 2014 11:52 PM
  • As JayChase suggests, employing encryption is a great solution.

    Another option is to configure the connection to use integrated security.

    With this configuration there is no need to leave user credentials in the config file.

    Saturday, December 13, 2014 12:11 AM