none
Providing password for connection RRS feed

  • Question

  • This seems like a bone-head question but believe it or not I have been using ADO.Net for a while and I have never been able to figure this out; I finaly decided to ask about it.

    When creating a DataSource in the Visual Studio designer the "Data Sourse Configuration Wizard" gives the option to include or exclude "sensitive data" (the password) in/from the connection string. Next to the option to excude it it says "I will set this information in my application code."

    My question is, how exactly does MS intend for the developer to set the password in the code? I don't see any way to set the password at runtime without some serious cluging.


    Thanks
    Jacob

    • Edited by Jacob Wagner Tuesday, February 16, 2010 9:00 PM type-o
    Tuesday, February 16, 2010 8:57 PM

Answers

All replies

  • Hello Jacob,

     

    Welcome to ADO.NET DataSet forum!

     

    Good question!  For security concern, it is recommended to encrypt the security information like password in the connection string.  OmegaMan has a very detailed explanation in this related thread, http://social.msdn.microsoft.com/Forums/en-US/clr/thread/496677bf-4cbe-4522-96b8-310830e2af46.   

     

    Of course, we can store the sensitive data like the password in our codes and modify the connection string retrieved from the .config file during runtime, so that we don’t need to store the password in .config file.   However, since .NET codes are easy to disassemble, so the password information is also easy to get from our codes.   Encryption is still recommended. 

     

    Here are some other good references:

    http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

    http://msdn.microsoft.com/en-us/library/89211k9b.aspx

    http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx

    http://www.codeproject.com/KB/security/ProtectedConfigWinApps.aspx

    http://www.codersource.net/asp_net_security_connection_string.aspx

     

    As you said, it is not easy to get and set the password during runtime.   But I think for security concern, some cost is worth. 

     

    If you have any questions, please feel free to let me know.

     

    Have a nice day!

     

     

    Best Regards,
    Lingzhi Sun

    MSDN Subscriber Support in Forum

    If you have any feedback on our support, please contact msdnmg@microsoft.com


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Wednesday, February 17, 2010 6:28 AM
    Moderator
  • i agree with Sun, But there are cases, where you don't need to save the password anywhere else.Such accounts are called Application account. This is one kind of risk in Data protecting. Somebody can hijack your application and access the DB via your connection. If you really want to keep password in a connection string, use a PACKER. like PECompact,UPX,Petlite. This will protect your application from disassemble.
    Thanks Mike --------Please mark as answer if it is useful----------
    Wednesday, February 17, 2010 9:26 AM
  • Thanks for that

    but all of those links deal with securing the config file. I don't want to use a config file, I want to embed the connection string (or at least the password) in the code.

    There has got to be a way to do this or why would the option exist in the dataset designer to not save the password?

    I am working on a work-around that involves adding a few members to the DataSet and some of its related classes. But, it is lesst than elegant. If somone knows how MS intended that option to be used it would be very helpfull.

    Jacob
    Wednesday, February 17, 2010 8:14 PM
  • Hi Jacob,

     

    The VS wizard will still save the connection string in the .config file.  However, if we select save the password in the our code, only the password is not stored in the .config file.  If we want to set the password by code, we can directly access the connection object via TableAdapter.Connection and reset the TableAdapter.Connection.ConnectionString by adding the password section.  

     

    Yes, it is a good idea to add some custom methods to the DataSet to manually set the connection string.  I don’t think it is less than elegant since the DataSet related classes are all partial classes which are allowed to be improved on our own.   However, as Mike suggested, you can use some tool to avoid your application being dissembled.  If not, others can easily get the password information via some tool like .NET Reflector.   

     

    I believe that the most fit is the best.  Which methods to use is all determined by our detailed scenario.  J

     

    Have a nice weekend!

     

     

    Best Regards,
    Lingzhi Sun

    MSDN Subscriber Support in Forum

    If you have any feedback on our support, please contact msdnmg@microsoft.com


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Friday, February 19, 2010 8:21 AM
    Moderator
  • Hi Jacob,

     

    I am writing to check the status of the issue on your side.  Would you mind letting us know the result of the suggestions? 

     

    If you need further assistance, please feel free to let me know.   I will be more than happy to be of assistance.

     

    Have a nice day!

     

     

    Best Regards,
    Lingzhi Sun

    MSDN Subscriber Support in Forum

    If you have any feedback on our support, please contact msdnmg@microsoft.com


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Tuesday, February 23, 2010 1:22 AM
    Moderator