I understand this question can be general but, specifically with regards to ASP.NET MVC, what's the best way to keep passwords locally but not in git/svn? My database connection string is currently in web.config -- is it best to somehow include a file in web.config that isn't in git? What do you folks do?
I use Windows Auth with my databases, so the connection string contains a server name but not a username/password.
For Machines where I can't use Windows Auth, I use web.config transforms and add the web.dev.config to my .gitignore.
Regarding Git, I would use a filter driver in order to build the right web.config out of:
a web.config.template file,
an external (encrypted) source where to look for the password.
On every checkout, the 'smudge' script would be the right web.config content, that way:
web.config remains private (only visible in your working tree)
common parts of the web.config which don't change often and are public information remain versioned in web.config.template.
the password, even encrypted, don't get replicated from repository to repository.
put the web.config in your .gitignore file. The web.config will not change very often.
Related
i came to know : Under the covers, the MVC AntiForgeryToken attribute uses the machinekey for encryption. If you don't specify a machinekey in the web.config , one is automatically generated for you by ASP.NET.
If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key, hence why it crashes with the above error.
My concern is
before write the machine key in web.config i like to know where i should look for the machine key to copy & paste in web.config. when we are testing in local pc then we can copy & paste the machine key in web.config but when we will host our site in godady or ORCSWEB in shared environment then those company may not give machine key of the pc where our site will be hosted. so i need to know how to handle this situation. thanks
EDIT
<configuration>
<system.web>
<machineKey
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>
how to get or generate validationKey & decryptionKey separately ? any idea?
If the ASP.NET application is restarted (e.g. do an iisreset), the
AntiForgeryToken within the browser cookie will still be encrypted
with an old machine key???
I don't think machine key changes with iisreset.
You can generate machine key (validation and decryption key) yourself and specify it in web.config. The same key will be used in all cases where encryption is performed e.g. Auth tickets, AF Token.
A good introduction link.
UPDATE:
How to generate machine key?
There are various way, this msdn blog suggest using IIS which looks more secure to me as Microsoft tool being used. However, it seems this feature is only supported until IIS 7. I don't find it on my box IIS 8.5. I checked on IIS 7.5 and its not present there either. However, I found it in IIS 6.1 on a coworker box.
Second option is to use custom key generators
a. Machine Key Generator (online)
b. ASP.NET machineKey Generator (tool you can modify)
Is it possible to do away with the web.config file in the Views folders of an MVC application?
Due to a bug in the encryption feature of Web Deploy I need to just use a single web.config file in the root of the site.
see: MSDeploy automatic encryption of connection strings, key not found in dictionary
I have only few projects on my bag. In a previous desktop application when I wanted to store and use some application specific information I was using the app.config file.
Now I work on ASP.NET MVC 4 application and again I want to store some application specific information but this time I'm not sure. I have the web.config file which seems like a good place for this purpose but I'm not sure if it's the right place to store custom information there.
What is the right approach to do this? For example I want to save and extract path to directory on the file system where I'll save all my files. In ASP.NET MVC 4 what/where is the right place to do that?
The web.config file is what web application use where a desktop application uses app.config, and it's a good place to put application specific information.
You can add keys to the <appSettings> tag, and use them in the application just as you would if you put them in that tag in the app.config file. Example:
string path = ConfigurationManager.AppSettings["DataPath"];
Web.config is for ASP.NET and ASP.NET MVC; app.config is for desktop applications and DLLs.
If you need to storie any kind of parameter for your application that you can change without having to recompile, Web.config is the place to go.
Web.config is the web application version of app.config. Web.config seem like a good place for the configuration settings you're talking about.
Sometimes when you have a dll that had reference to desktop app.config, and when you import that MVC application you need to change the configuration data that used to be in app.config now to web.config.
Currently I have a web service, which loads up any plugins located within its /plugins folder. Now the problem is that each plugin has its own set of configuration data, currently hardcoded and isolated into a single class, but I want to move this out into a myplugin.config file.
Normally the web service loads up its own web.config file, but I am not sure if I can get the plugins to use their own ones. As if you imagine the main web service uses NHibernate and does CRUD stuff with some arbitrary data, but one of the plugins adds a caching layer using MongoDB and has its own connection string details. So the MVC web service shouldn't really care about these settings, it should just be the MyPlugin which would need to read them.
Is there any way to do this? As I just want to get away from having the connection string ingrained within the code.
I have sorted this problem now, I was able to do it without much work really once I found out how config files could be loaded in.
I made sure my config file was named after the assembly loaded via MEF, so if my assembly was:
some-custom-plugin.dll
You would make a config file named:
some-custom-plugin.dll.config
then you would call:
var config = ConfigurationManager.OpenExeConfiguration("some-custom-plugin.dll");
var someValue = config.AppSettings["some-app-setting"];
So hope this helps someone as it took me a while to find this simple thing out.
Using MVC 1.0, and Azure July 2009 SDK
I have an MVC application that appears to be working in the azure test framework, except for the fact that my appSettings collection is empty when running there. (But if I just run the web project on it's own, it's fine.)
Is there something special I need to do to access the web.config from Azure?
Sounds quite odd... I might check that web.config is getting properly copied when you launch under the dev fabric. Browse to your app directory and look for a .csx directory. Under there you should find your web app and hopefully the correct web.config. If not, then the problem is somewhere in packaging. (Make sure that web.config is marked as "content" or "copy always" in the properties in VS.)
Otherwise I'm happy to take a look at the project if it's something you can share. My email address is Steve.Marx#microsoft.com.