Saturday, 18 August 2007

Asp .net Web.config Configuration File

Asp .net Web.config Configuration File

What is Web.Config File?

Web.config file, as it sounds like is a configuration file for the Asp .net web application. An Asp .net application has one web.config file which keeps the configurations required for the corresponding application. Web.config file is written in XML with specific tags having specific meanings.

What is Machine.config File?

   As web.config file is used to configure one asp .net web application, same way Machine.config file is used to configure the application according to a particular machine. That is, configuration done in machine.config file is affected on any application that runs on a particular machine. Usually, this file is not altered and only web.config is used which configuring applications.

 

What can be stored in Web.config file?

There are number of important settings that can be stored in the configuration file. Here are some of the most frequently used configurations, stored conveniently inside Web.config file..

  1. Database connections
  2. Session States
  3. Error Handling
  4. Security

Database Connections:

   The most important configuration data that can be stored inside the web.config file is the database  connection string. Storing the connection string in the web.config file makes sense, since any modifications to the database configurations can be maintained at a single location. As otherwise we'll have to keep it either as a class level variable in all the associated source files or probably keep it in another class as a public static variable.

   But it this is stored in the Web.config file, it can be read and used anywhere in the program. This will certainly save us a lot of alteration in different files where we used the old connection.

Lets see a small example of the connection string which is stored in the web.config file.

<configuration>

  <appSettings>

     <add key="ConnectionString"

          value="server=localhost;uid=sa;pwd=;database=DBPerson" />

  </appSettings>

</configuration>

   As you can see it is really simple to store the connection string in the web.config file. The connection string is referenced by a key which in this case is "ConnectionString". The value attribute of the configuration file denotes the information about the database. Here we can see that if has database name, userid and password. You can define more options if you want.

There is a very good website that deals with all sorts of connection strings. Its called www.connectionstrings.com , in the website you will find the connection strings for most of the databases.

Lets see how we access the connection string from our Asp .net web application. 

using System.Configuration;

string connectionString = (string )ConfigurationSettings.AppSettings["ConnectionString"];

The small code snippet above is all that is needed to access the value stored inside the Web.config file.

Session States:

   Session in Asp .net web application is very important. As we know that HTTP is a stateless protocol and we needs session to keep the state alive. Asp .net stores the sessions in different ways. By default the session is stored in the asp .net process. You can always configure the application so that the session will be stored in one of the following ways.

1) Session State Service

   There are two main advantages of using the State Service. First the state service is not running in the same process as the asp .net application. So even if the asp .net application crashes the sessions will not be destroyed. Any advantage is sharing the state information across a Web garden (Multiple processors for the same computer).

Lets see a small example of the Session State Service.

<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:55455" sqlConnectionString="data source=127.0.0.1;user id=sa;password='' cookieless="false" timeout="20"/>

The attributes are self explanatory but I will go over them.

mode: This can be StateServer or SqlServer. Since we are using StateServer we set the mode to StateServer.

stateConnectionString: connectionString that is used to locate the State Service. 

sqlConnectionString: The connection String of the sql server database.

cookieless: Cookieless equal to false means that we will be using cookies to store the session on the client side.  

 

2) SQL Server  

The final choice to save the session information is using the Sql Server 2000 database. To use Sql Server for storing session state you need to do the following:

1) Run the InstallSqlState.sql script on the Microsoft SQL Server where you intend to store the session.

You web.config settings will look something like this:

<sessionState mode = "SqlServer" stateConnectionString="tcpip=127.0.0.1:45565" sqlConnectionString="data source="SERVERNAME;user id=sa;password='' cookiesless="false" timeout="20"/>

SQL Server lets you share session state among the processors in a Web garden or the servers in a Web farm. Apart from that you also get additional space to store the session. And after that you can take various actions on the session stored.

The downside is SQL Server is slow as compared to storing session in the state in process. And also SQL Server cost too much for a small company.

3) InProc:

  This is another Session State. This one is mostly used for development purposes. The biggest advantage of using this approach is the applications will run faster when compared to other Session state types. But the disadvantage is Sessions are not stored when there is any problem that occurs with the application, when there is a small change in the files etc., Also there could be frequent loss of session data experienced.. 

Error Handling: 

Error handling is one of the most important part of any web application. Each error has to be caught and suitable action has to be taken to resolve that problem. Asp.net web.config file lets us configure, what to do when an error occurs in our application.

Check the following xml tag in the web.config file that deals with errors:

<customErrors mode = "On">

<error statusCode = "404" redirect = "errorPage.aspx" />

</customErrors>

This tells the Asp.net to display custom errors from a remote client or a local client and to display a page named errorPage.aspx. Error "404" is "Page not found" error.

If custom error mode is turned "off" than you will see Asp.net default error message. This error messages are good for debugging purposes but should never be exposed to the users. The users should always be presented with friendly errors if any.

Security:

The most critical aspect of any application is the security. Asp.net offers many different types of security method which can be used depending upon the condition and type of security you need.

1) No Authentication: 

No Authentication means "No Authentication" :) , meaning that Asp.net will not implement any type of security.

2) Windows Authentication:

The Windows authentication allows us to use the windows user accounts. This provider uses IIS to perform the actual authentication, and then passes the authenticated identity to your code. If you like to see that what windows user is using the Asp.net application you can use:

User.Identity.Name;

This returns the DOMAIN\UserName of the current user of the local machine.

3) Passport Authentication:

Passport Authentication provider uses Microsoft's Passport service to authenticate users. You need to purchase this service in order to use it.

4) Forms Authentication:

Forms Authentication uses HTML forms to collect the user information and than it takes required actions on those HTML collected values.

In order to use Forms Authentication you must set the Anonymous Access checkbox checked. Now we need that whenever user tries to run the application he/she will be redirected to the login page.

<authentication mode="Forms">

<forms loginUrl = "frmLogin.aspx" name="3345C" timeout="1"/>

</authentication>

<authorization>

<deny users="?" />

</authorization>

As you can see we set the Authentication mode to "Forms". The forms loginUrl is the first page being displayed when the application is run by any user.

The authorization tags has the deny users element which contains "?", this means that full access will be given to the authenticated users and none access will be given to the unauthenticated users. You can replace "?" with "*" meaning that all access is given to all the users no matter what.



--
Prakash Samariya (IT Professional, HDSE)
Mob: 9879074678 Res: +91-79-32924610
http://ps-india.blogspot.com/
http://psamariya.googlepages.com/
Below Nelson's School, Opp SBI, Punit Ahram Road, Maninagar, Ahmedabad - 380008, Gujarat, India.

No comments:

Hits4Pay