 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / January 2006Session variable. Secure ?
I'm developing a secure app. So I have a connectionstring in my web.config. That string is encrypted. So it must be decrypted when I want to use it. The question is, do I have to call the decrypt procedure every time (which is a LOT of times), or can I do it once, and then have the unencrypted value somewhere handy, like a global variable/constant on the webserver, a session variable or something else ? Or do session/application variables get submitted "across the wire" og stored in a cookie ? thx /jim Hi, sessions state does not get transmitted to the client. Do you use 1.1 or 2.0 - in 2.0 encrypted config sections are cached automatically... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > I'm developing a secure app. So I have a connectionstring in my > web.config. That string is encrypted. So it must be decrypted when I [quoted text clipped - 9 lines] > thx > /jim Hello Jim, If you keep the decrypted value in Memory, this has three side effect: The value will most likely be in the page file, any crash dump and is accessible from any appliation on the server running either under the same security context or has the debug privilege enabled. Which database server do you use? If you are running Windows2003 with SQL Server, you could run the application pool under a special database access user and access the sql server with integrated authentication. In this case you woudn't need to encrypt your connetion string. The database user could then be locked down on the database itself. The session variable may or may not be transmitted over the wire. If you are using an out of proess session provider (SQL Server for example) the session state will be serialized and transferred to the sql server. But as Mr. Baier points out, the session state is never transmitted to the client. The whole thing depends on the amount of security you need. With a defense-in-depth approach, you should keep the connection string encrypted most of the time. Greetings, Henning Krause > -----Original Message----- > From: Jim Andersen [mailto:nospam@nospam.dk] [quoted text clipped - 19 lines] > thx > /jim Hi, well - as long as you have a secret (connectionstring with password) you can't escape having that secret in memory in plain text. Even if you don't cache it somehow. Strings in .NET are not zeroed out and will be GCed at some point of time - so they will end up in memory for a longer time as well as in crash dumps and page files. So caching won't hurt you. Of course - as henning pointed out - eliminating the secret is the best approach. Use integrated security for the database (if possible) and no password is exposed at all. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com > Hello Jim, > [quoted text clipped - 43 lines] >> thx >> /jim Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.