The web.config file associated with asp.net projects acts as an application wide variable container. It is an XML file with specific elements that describe how application wide events such as authentication, debugging, and sessions should be handled. You can also place your own static variables here and access them throughout your code (However, I recommend creating a class to do this. Read
Global Variables for an explanation.) Below is a complete web.config file from an
asp.net project, and below that you'll find a breakdown of what each section means.
<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <!-- DYNAMIC DEBUG COMPILATION Set compilation debug="true" to insert debugging symbols (.pdb information) into the compiled page. Because this creates a larger file that executes more slowly, you should set this value to true only when debugging and to false at all other times. For more information, refer to the documentation about debugging ASP.NET files. --> <compilation defaultLanguage="vb" debug="true" /> <!-- CUSTOM ERROR MESSAGES Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable. Add <error> tags for each of the errors you want to handle. --> <customErrors mode="RemoteOnly" /> <!-- AUTHENTICATION This section sets the authentication policies of the application. Possible modes are "Windows", "Forms", "Passport" and "None" --> <authentication mode="Windows" /> <!-- AUTHORIZATION This section sets the authorization policies of the application. You can allow or deny access to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous (unauthenticated) users. --> <authorization> <allow users="*" /> <!-- Allow all users --> <!-- <allow users="[comma separated list of users]" roles="[comma separated list of roles]"/> <deny users="[comma separated list of users]" roles="[comma separated list of roles]"/> --> </authorization> <!-- APPLICATION-LEVEL TRACE LOGGING Application-level tracing enables trace log output for every page within an application. Set trace enabled="true" to enable application trace logging. If pageOutput="true", the trace information will be displayed at the bottom of each page. Otherwise, you can view the application trace log by browsing the "trace.axd" page from your web application root. --> <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" /> <!-- SESSION STATE SETTINGS By default ASP.NET uses cookies to identify which requests belong to a particular session. If cookies are not available, a session can be tracked by adding a session identifier to the URL. To disable cookies, set sessionState cookieless="true". --> <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;user id=sa;password=" cookieless="false" timeout="20" /> <!-- GLOBALIZATION This section sets the globalization settings of the application. --> <globalization requestEncoding="utf-8" responseEncoding="utf-8" /> </system.web> </configuration>
<compilation defaultLanguage="vb" debug="true" />
defaultLanguage="vb": This specifies the default code language.
debug="true": This specifies that the application should be run in debug mode. If set to false it will disable Debug class members, ignore breakpoints, and it will not place the .pdb file in the bin folder used for debugging. This should match the build option you have set in the Visual Studio environment. Changing one does not automatically change the other.
<customErrors mode="RemoteOnly" />
This specifies how HTTP response errors should be handled. If set to "Off" they will not be handled and generic error messages will be displayed to the user. If set to "On" you should add nodes in the following manner to redirect based on the HTTP error:
<customErrors defaultRedirect="Error.htm" mode="RemoteOnly"> <error statusCode="404" redirect="notfound.htm"/> </customErrors>
If the status code of the current error is not found in one of the error nodes, it will redirect to Error.htm.
<authentication mode="Windows" />
This will set the authentication mode for the application. For further information, please read
Authentication and Authorization. <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
If tracing is enabled in the web.config file (set enabled="true" pageOutput="true") detailed information about the life of the page will be displayed at the end of every page. This can be helpful for debugging. If you set pageOutput="false" a trace.axd file will be creating in your applications root folder and trace information will be stored there. If pageOutput is set to false, the requestLimit attribute will designate the number of requests to write to the page log. Setting localonly="true" will allow you to view the trace file from a remote computer. Tracemode has two valid values: SortByTime and SortByCategory. These define how the trace information should be displayed.
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;user id=sa;password=" cookieless="false" timeout="20" />
Asp.net supports three methods of saving session information: In-process (on the server hosting the application), a state server (on a remote server), or in an sql database. If your application will be hosted among multiple servers, you will not be able to use in-process because page requests from the same user may be handled by different servers. To use these methods set mode="InProc", "StateServer", or "SQLServer" respecively. If you use State server you will need to specify stateConnectionString. If you use SQLServer you will need to specify sqlConnectionString. By default
asp.net will place a cookie on the client's computer to associate that user with their particular session. If you need to avoid using cookies, you can set cookieless="true", however, this will place a lengthy string in the url to retain the user's identification. The timeout attribute sets the length in minutes before a session will expire.