All geek questions in one place

What is the correct method for encrypting ASP.NET communications?

I looked at some connectionStrings (Web.config) encryption examples in an ASP.NET MVC application (.NET 4.0), and it seems that there are two general ways to achieve it ( Example 1 and the corresponding Example 2 ):

Use the aspnet_regiis tool.

The main problem with using aspnet_regiis is that I can run the tool locally (on my development machine), but the website is actually hosted on Arvixe, and like any other web host: there is no way to run commands on the server. As far as I understand, if I encrypt the Web.config connectionStrings connection on my machine and publish Web.config, they cannot be decrypted on the server (please correct me if this is not so).

Note. I used only RSAProtectedConfigurationProvider, but I assume that it DataProtectionConfigurationProviderwill have the same problem as it depends on the user / machine.

Programmatically encrypt the connection string.

Programmatically encrypting connectionStrings also has a drawback: every time I publish my website, Web.config is updated (with unencrypted connectionStrings), which means that for some period of time Web.config will not be encrypted. Even if I guarantee that Web.config will be published only after making changes to it, the problem can be minimized, but not mitigated.

, . . , connectionStrings , , - (Request.ApplicationPath), () .

private void ProtectSection(string sectionName,
                                   string provider)
{
    Configuration config =
        WebConfigurationManager.
            OpenWebConfiguration(Request.ApplicationPath);

    ConfigurationSection section =
                 config.GetSection(sectionName);

    if (section != null &&
              !section.SectionInformation.IsProtected)
    {
        section.SectionInformation.ProtectSection(provider);
        config.Save();
    }
}

private void UnProtectSection(string sectionName)
{
    Configuration config =
        WebConfigurationManager.
            OpenWebConfiguration(Request.ApplicationPath);

    ConfigurationSection section =
              config.GetSection(sectionName);

    if (section != null &&
          section.SectionInformation.IsProtected)
    {
        section.SectionInformation.UnprotectSection();
        config.Save();
    }
}

UnProtectSection("appSettings");

ProtectSection("appSettings",
    "DataProtectionConfigurationProvider");

connectionString / , Web.config ? - OpenWebConfiguration, , ? -, , , , ?

+3
3

, , , / , XML , /...

:

new HttpRequestWrapper(System.Web.HttpContext.Current.Request);

.

+3

, , :

internal static class SecurityExtension
{
    public static string GetConnetionString(this Configuration config, string databaseName, string provider = "RSAProtectedConfigurationProvider")
    {
        string sectionName = "connectionStrings";
        ConfigurationSection section = config.GetSection(sectionName);
        if (section != null && !section.SectionInformation.IsProtected)
        {
            section.SectionInformation.ProtectSection(provider);
            config.Save();
        }

        return WebConfigurationManager.ConnectionStrings[databaseName].ConnectionString;
    }
}

, :

Configuration config = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
string connectionString = config.GetConnetionString("MyDatabaseName");

Update:
:

private static HttpRequestWrapper request = new HttpRequestWrapper(System.Web.HttpContext.Current.Request);
private static Configuration config = WebConfigurationManager.OpenWebConfiguration(request.ApplicationPath);
private static string connectionString = config.GetConnetionString("MyDatabaseName"));

, ​​ , DataContext , .

0

ConnectionString Web.config

web.config, , , , Ive , web.config .

<connectionStrings>
   <add name="myDbConnection" providerName="System.Data.SqlClient"
   connectionString="Data Source=myServer;Integrated Security=true;Initial Catalog=myDatabase"/>
</connectionStrings>

connectionstring web.config asp.net, System.Configuration, .

Note. If you defined the connection string in the appSettings section, you can get your connection string from the appSettings section this way. Read ConnectionString in C #

protected void Page_Load(object sender, EventArgs e)
{
       string con = System.Configuration.ConfigurationManager.ConnectionStrings["myDbConnection"].ConnectionString;
}

Reading connection string in Vb.net

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
       Dim con As String = System.Configuration.ConfigurationManager.ConnectionStrings("myDbConnection").ConnectionString
End Sub

Example: simple insert, update and delete in Asp.net You might also like to insert, update and delete in asp.net gridview here. Thats it, now you can get the connectionstring from the web.config file and you can use it wherever you want.

You can read more on asp.net via http://www.aspneto.com/category/aspnet/

-1
source

Source: https://habr.com/ru/post/1793757/

More articles:


All Articles