Locking Down Configuration

Earlier in this chapter, we discussed how the configuration for the application is computed by merging the machine.config and web.config settings for the application. Sometimes it is not desirable to allow the settings to be overridden by the application, as in hosted environments. The ASP.NET configuration system accounts for this through a special allowOverride attribute that is optionally defined with the <location /> element:

<configuration>
    <location path="MyApplication" allowOverride="false">
        <system.web>
            <sessionState timeout="30" />
        </system.web>
    </location>
</configuration>

If not specified, the default value for the attribute is allowOverride=“true”. You can use the allowOverride attribute to lock down ASP.NET settings in parent applications and prevent child applications from changing the values. The following example demonstrates how this can be accomplished in machine.config:

<configuration>
    <!-- Additional machine.config settings not shown -->
    <!-- Override Session defaults for Application 1 -->
    <location path="Application1" allowOverride="false">
        <system.web>
            <sessionState timeout="30" />
        </system.web>
    </location>
 
    <!-- Override Session defaults for Application 2 -->
    <location path="Application2" allowOverride="false">
        <system.web>
            <sessionState mode="StateServer" />
        </system.web>
    </location>
</configuration>

Any attempts to change <sessionState /> settings via a web.config in Application1 or Application2 would result in an exception.