How To Create the Web configuration File in ASP.NET?

tudip-logo

Tudip

18 May 2020

What is the web.config file?

  • It is an application configuration file of the Official Microsoft ASP.NET  site written in XML format and is responsible for controlling the application behavior.

Benefits of the XML format configuration file

  • Information coded in the XML file is easy to read and understand, and also it can be processed easily by computers.
  • It is extensible i.e. there is no fixed set of tags, new tags can be created as per the requirement.
  • We don’t need to restart the webserver while changing the contents in the configuration file as it automatically detects the changes and applies them to the running asp.net application.

Key Features

  • Web.config file is known as the HEART of the ASP.Net Application.
  • Database Configuration
    • It stores the Database configuration in a connection string,i.e opening the database connection, inserting, selecting, deleting data from the database.web_config_file_asp_1
  • Adding <clear /> tag at the top in the connectionStrings element is a good practice to make sure no other connection strings are overriding down from a higher level configuration file.
  • How to read the connection string in our code:
    String connStr =  ConfigurationManager.ConnectionStrings[“webConnectionString”].ConnectionString;
  • Important Key-Value pair
    • In <appSettings> element we can store Important function names and constants, Session state, Application Security that can be accessed from anywhere in the system.web_config_file_asp_2
  • Application-Security
    • The element which is responsible for the application security in the configuration file
      • Custom errors: If we make it disable then Everyone will be able to inspect details about our application that could be potential fuel for hackers.

        Secure Configuration:
        web_config_file_asp_3
      • Trace: When we enable application-level tracing, trace information is gathered and processed for each page in that application and for that reason any user can view an incredibly detailed list of recent requests to the application by browsing to the page. It is also one of the most useful tools that an attacker can use to attack our Web-based applications if it is left enabled in a production environment.

        Secure configuration:
        web_config_file_asp_4
      • Debugging: Debugging of the application is handled through the configuration file but it is ok of making it true for the local debugging of the application but when you are going for the production deployment then it should be false for the security purpose.

        Secure configuration:
        web_config_file_asp_5
      • HTTP cookies: Microsoft introduced a new cookie property called HttpOnly.We can set its property programmatically on a per-cookie basis, also we can set it globally in the site configuration. If we make this property true then it will be accessible only from server-side code, and not to any client-side scripting code like JavaScript or VBScript. This prevention of cookies from the client helps to protect our Web-based applications from Cross-Site Scripting attacks.

        Secure configuration:
        web_config_file_asp_6
      • Session state(): Session variables are very powerful, but they have a few downsides. Information in the session state will get lost when the ASP.NET process breaks.

        Secure configuration:
        web_config_file_asp_7
      • Authentication(): The authentication section controls the type of authentication used within your Web application, as contained in the attribute mode. There is three authentication mode:
        • Windows: If we add windows authentication mode for the ASP.NET application, we also have to configure authentication within IIS, because IIS provides Windows authentication
        • Passport: Passport authentication lets us use Microsoft’s passport service to authenticate users of the ASP.NET application.
        • Forms: Forms authentication provides us a way to handle authentication using our own custom logic within an ASP.NET application.

        Secure configuration:

        web_config_file_asp_8

Different types of Configuration files

  • Machine.config – The global configuration file for all sites in a given machine which is called Machine.config.
  • Web.config – Application configuration files that deal with the individual application.

Summary

  • In this article, we got to know about the consequences of the web.config file in any ASP.NET application. It also provided a good overview of important aspects like application security, database connection, key-value pair in the configuration file for any .net based application.

Request a quote