Last post Jun 14, 2010 01:01 AM by helpjet
Jun 12, 2010 07:29 PM|helpjet|LINK
I built a web deployment project but I am unable to hide .xml files. In AppCode, folder I have 2 xml files, user can only access those files by xy.aspx page.
When I build the project for deployment and hid the AppCode folder, whole application went down the drain. It is giving me an error that that the AppCode/abc.xml can't be found (something like that). XML files has some critical data (expiration dates for
the application license). You must be think why I am keeping such information in XML file than Database, it is because client is hosting the application locally. If the client backdates the server in order to work around license expiration date, application
will simply stop working.
My second question is, I am using Forms Authentication, and keeping the password in web.config file. Is there any way to hide <authentication ></authentication>. Web deployment project doesn't not hide that section. I want to hide the credentials because
it has a password which is used to renew application license.
Actually I did't know that I would face such a situation where I can't hide such info. Otherwise I would have adopted database approach.
Jun 13, 2010 08:51 AM|nomercy007|LINK
For the web.config, you can ecrypt sections. Check this link:
for the xml files in general, I am not sure if .NET has something ready but it can be encrypted too.
Jun 14, 2010 01:01 AM|helpjet|LINK
Thanks for the reply. W
What I understood from the link you posted is that application MUST be named as"MachineDPAPI" in order to use the utility to encrypt sections of the web.config.
I had to do three things
1) Hide/Encrypt conncetionstring in web.config (because connection string has user id and password for database)
2) Hide/Encrypt passwords in web.config (Forms Authentication - credentials)
3) Hide/Encrypt .xml file contents
So thats how I did it
Problem 1 Solution :: Removed the connection string from the web.config, created a static class which only returns connection string. So instead of accesing connection string from the web.config, each database access class get the connection
string from the static class.
Problem 2 Solution :: I encrypted the password which are kept in credential section of the web.config. For encryting I downloaded a class from the net which has encrypt/decrypt functionality. So when user enter password, I encrypted
it then passed the encrypted password to FormsAuthentication.Authenticate(UsernameTextbox.Text, encryptedPassword). User enter the plain text password, and no need to know the encrypted password kept in web.config. Client can dig into web.config and can find
the encrypted password but not the ecryption and decryption calss.
Problem 3 Solution :: I am keeping encrypted data in .xml file. So when the application access the .xml file, middle layer extract the encryted data from the .xml file, decrypt it and then pass it to the to application.
Since I am using layered architecture, therfore the fix was easy and quick.
Hope this would be helpful for someone in future.