When storing connections string - what method do yall use to secure them as securly as possible?
Storing them in the registry? Outside of the wwwroot? Global.asa/web.config?

Any thoughts?

I am not an expert with it, but I have seen different configurations within the global.asa file. You can create session variables and application variables that store the username, the password and the connection string. Then in your code you reference the session variable in the connection.

So you could set Session.qstring = "Select * from table"

then in your code call it as Connection.open (Session.qstring)

The above is a generalization, but that is definately a common method that I have seen. This way if the pages errors out and displays the code that is causing the problem you would only see Connect.open (Session.qstring) rather than seeing your connection string.

I am sure Josh could give you exact strings and examples you could use.

I use Web.config for ASP.NET and application.cfm for ColdFusion. Typically for ASP, given my knowledge levels at the time, I created an include file and referred to that as necessary throughout the site. I've just not gone back to load it into global.asa or a more elegant way.

Having one central spot makes it a breeze for changing, plus to my understanding this is a very secure means of storing the string.

HTH
Bryant

Web.Config ALLLL the way.

Sometimes with ASP/ASP.NET portions of the global.asa(x) file will spew with the error... still exposing your unwanted information.

However, nothing in your web.config file will EVER be displayed... the only way to view the web.config file is to open it w/ a text editor... Period. It is the single most secure place of storing sensative information.

We are currently storing them in the registry and calling them down from there - there are people who think that storing them in the registry is more secure for one reason or another...

Although it may be more secure, I wouldnt recommend this as storing more information in the system registry could impact performance of the server. I cringe whenever I have to type regedit

You and me both...the search continues for an acceptabel solution...

Why search... how is storing them in Web.Config insecure? It's one of the most secure places to store such information... WAY more than global.asax or even CF's Application.cfm... WAY...

I don't believe it is - I think the web.config is the way to go - but it's the server guys here that have the final say on such things. I'm pushing for the web.config solution. I HATE the idea of giving a webapp access to the registry - there is just something findamentally BAD about how that sounds...but that's how it's been done here for EON's

We do have some legacy apps to consider as well so not everything is going to have a web.config. Global.asa, some are just paths to included files with the string in them...I am going to push for encryption of the string and then make each app decrypt it with our own seed/salt whatever you wanna call it. A scheme like that shouldn't be too hard to add in to existing apps and will be REALLY easy to build in the future.

I am going to try and dig up some supporting docs on storing connections strings in places other than the registry to help bolster my position. If you know of an article or two that talks about this - post the URL's here and I'll use em.

I just cringe everytime I think of a webapp hitting the registry on a production server sitting out side of the firewall to get a connection string...it just sounds really really baaad.