The Connection String ? Encrypting ?

Skoder

Hello, basically what i dont understand is that if the "hacker" / intruder have access to the web.config file i assume he will also have access to the .aspx files. In that case storing it in any of the 2 places (web.config file or hardcoding it in a .aspx file) wont help you at all. Even if it is encrypted it wont do any good, as you will have to store the key somewhere (dont know where it should be stored?!). Soo if the web.config file is accessible to the "hacker"/ intruder the place / file where you have stored the key for decrypting the connection string will also be accessible ? Even if you store it in a com/dll he will easily be able to pull out the connection string, as you could just look at one of the existing .aspx files and change it soo it either just writes out the connection string or if holds the key, uses the key to decrypt the connection string and then write it out. Soo my conclusion would be that if the user have access to the web.config/.aspx file(s) it doesnt matter how you choosed to store it, as you are just fucked then. Only thing encryption would do is that it would take the hacker about 30 seconds longer to get the connection string... Soo the best thing to do is to just use the intergrated security, and then the encryption of the connection string doesnt really matter as someone from the outside cant use the information to anything, and if he is inside you have problems anyway... I am probably talking a lot of nonsense ... (actually i hope soo) ... :) Soo i hope that someone could tell me how it should be done, and why my conclusion isnt right, or at least point me in the right direction. Martin :confused: Merry Christmas ... :)