ASP.NET Configuration Settings (web.config)

ASP Classic provided a limited set of functionality for providing common Web application “level parameters. ASP.NET takes this farther by leaps and bounds by providing an XML-based Configuration Settings file, commonly known and represented as web.config. If you think of common properties, such as database connection properties, for example, that can be stored in a configurable yet common repository, web.config is what you should be looking at. Apart from being merely a placeholder for properties, web.config is also used to define authentication mechanisms that should be used by an application. Depending on its location, the web.config file can be used to customize the settings of a Web site (\inetpub\wwwroot), a particular application (\inetpub\wwwroot\app), or even the subdirectory of an application (\inetpub\ wwwroot \app\subdir).

The web.config file has separate sections focused on providing details on application settings, authentication mechanisms, authorization parameters, browser capabilities, compilation defaults, error handling, globalization, advanced HTTP handlers and modules, security policy, session management, trace parameters, and so on.

Now take a look at a sample web.config file that should provide some more insight:

 <?xml version="1.0" encoding="utf-8" ?> <configuration>   <system.web>     <compilation          defaultLanguage="c#"          debug="true"     />     <customErrors     mode="RemoteOnly"     />     <authentication mode="Windows" />     <authorization>         <allow users="*" />     </authorization>     <trace         enabled="false"         requestLimit="10"         pageOutput="false"         traceMode="SortByTime"         localOnly="true"     />     <sessionState             mode="InProc"             stateConnectionString="tcpip=127.0.0.1:42424"             sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"             cookieless="false"             timeout="20"     />     <globalization             requestEncoding="utf-8"             responseEncoding="utf-8"    />  </system.web> </configuration>

Configuring ASP.NET for Forms-based Authentication

A key requirement to a number of Web applications is security. ASP.NET provides a configurable (not just codeable!) mechanism for specifying (not coding) authentication parameters. Take a look at a web.config file that specifies parameters for using forms-based authentication. Figure 8.9 shows an example of forms validation.

 <?xml version="1.0" encoding="utf-8" ?> <configuration>   <system.web>     <authentication mode="Forms">        <forms name="MyAppCookie" path="/" loginUrl="Login.aspx"               protection="All" timeout="200">            <credentials passwordFormat="Clear">              <user name="hks" password="hks"/>            </credentials>        </forms>     </authentication>     <authorization>         <deny users="?"/>     </authorization>   </system.web> </configuration>

Figure 8.9. Forms validation for ASP.NET applications.

Here is the Forms page itself:

 <%@Page Language="C#" %> <%@Import Namespace="System.Web.Security" %> <script language="C#" runat="server">    void loginButton_Click(Object sender, EventArgs args) {        if (FormsAuthentication.Authenticate(user.Text, password.Text)) {           FormsAuthentication.RedirectFromLoginPage(user.Text,false);        } else {           message.Text = "Un-authorized Access!";        }    } </script> <html> <head></head> <body>  <form runat="server">  <b>User:</b><br/>  <asp:TextBox id="user" runat="server"/><br/>  <b>Password:</b><br/>  <asp:TextBox id="password" textmode="password" runat="server"/><br/>  <asp:Button id="loginButton" OnClick="loginButton_Click"       Text="Login" runat="server"/><br/>  <asp:Label id="message" ForeColor="Red" runat="server"/>  </form> </body> </html>

Beyond the preceding simplified example, ASP.NET goes beyond authenticating simple user/password name pairs to custom user profile databases, Active Directory, and so on.

SHOP TALK : VALIDATING DATA AS A STEP TOWARD WEB APPLICATION SECURITY

Validating data in Web-based applications (or even Windows applications) is important not just from an application user interface perspective but is also a step toward making applications secure. Validating Web-based forms helps in making your application hacker proof because your application is protected against attacks such as SQL injection, buffer overflow, and the like. For example, SQL inject attacks use nonvalidated input fields to pass a SQL string as part of your input field. Typically the field is used as an input to a SQL query or a stored procedure call; the extra SQL string can then be used to perform an undesirable operation. This is known as a SQL injection attack. Overall, a rule for application security, especially Web-based applications because they are exposed to the external world through the Internet, is to always validate input fields.

Specifying Application-level Properties

As previously mentioned, the web.config file can be used to store application-level parameters, including application runtime specific strings, connection strings, and messages. This prevents proliferation of such strings inside several ASP.NET files. For instance, the following addition of the <appSettings> section makes the ApplicationName configuration property available to all pages in the application.

 <?xml version="1.0" encoding="utf-8" ?> <configuration>   ...   <appSettings>          <add key="ApplicationName" value="ABC Order Entry Application"/>   </appSettings> </configuration>

Once specified, the configuration application setting can be accessed using the ConfigurationSettings class in the .NET Framework class library.

 <%@ Page Language="C#" %>  <script runat="server">       void Page_Load(Object sender, EventArgs e) {         AppName.Text = ConfigurationSettings.AppSettings["ApplicationName"];       }  </script> <html> <head> </head> <body>     <form runat="server">        <asp:Label id="AppName" runat="server"/>     </form> </body> </html>