Securing connection strings and
making secure authentication method
Introduction:
In one of the previous articles we
saw that we can use the web.config file to save our connection string. We also
talked about the advantages which comes down to easily altering the connection
string if it changes in the future. What we did not talked about was encrypting
connection string. When we store the connection string in the web.config file
it's stored in a readable form. If anyone can open the web.config file he can
read the connection string and security will be jeopardize.
So In this article we will see
that how we can secure our connection string by encrypting it and we will also
see how we can make secure login screens.
Saving connection String
without Encryption:
Let's see a small example where we
store the connection string in the web.config file without encrypting it.
|
<configuration>
<appSettings>
<add key="ConnectionString"
value="server=localhost;uid=sa;pwd=;database=DBPerson"
/>
</appSettings>
</configuration>
|
This is one of the worst ways of
storing the connection string. As you can see we can easily see the userid and
the password for this database connection and anyone can easily access the
database without authentication.
Let's see a little better approach
of saving the connection string:
<configuration>
<appSettings>
<add key="DBConnStr"
value="server=(local);Integrated Security=SSPI;database=northwind"/>
</appSettings>
</configuration> |
As you see above that the
connection string is now saved without displaying the username and the password.
This is better than the last connection string but still we can see what
database is being used. In this case its northwind database.
Now we will see that how we can
encrypt the connection string so hackers are not able to see the important
information about the database. We will make a small method that will take the
connection string as the parameter and it will return the encrypted connection
string. We can place the returned encrypted connection string back in the
web.config file. I will also tell you that how you can decrypt the connection
string when using in your application.
Encrypting Connection
Strings:
Let's see the method which
encrypts the connection string.
|
// This method is used to encrypt the connection string
private string
EncryptConnectionString(string
connectionString)
{
Byte[] b =
System.Text.ASCIIEncoding.ASCII.GetBytes(connectionString);
string
encryptedConnectionString = Convert.ToBase64String(b);
return
encryptedConnectionString;
}
|
Explanation of the Code:
1) The method
EncryptConnectionString takes in the connectionString and returns the encrypted
ConnectionString
2) In this case we have used the
ASCIIEncoding which gets the bytes representation of the connection string and
store it in an array.
3) Finally, we encrypt the
connection string using the ToBase64String method of the Convert class and the
connection string is returned to the caller.
If you print out the connection
string you will find something like this:
ZGF0YSBzb3VyY2U9Llx2c2RvdG5ldDtpbml0aWFsIA0KICAgY2F0YWx
Once you got the encrypted
connection string you can copy and paste it in the web.config file.
|
<appSettings>
<add
key="ConnectionString"
value="ZGF0YSBzb3VyY2U9Llx2c2RvdG5ldDtpbml0aWFsIA0KICAgY2F"/>
</appSettings>
|
As you can see now the connection
string has been encrypted and saved in the web.config file. You can no longer
read the connection string by just looking at the encrypted string.
Lets see that how we can decrypt
the connection string so that we can use it in our applications.
|
// This method is used to decrypt the connection string
private string
DecryptConnectionString()
{
Byte[] b =
Convert.FromBase64String(ConfigurationSettings.AppSettings["ConnectionString"]);
string
decryptedConnectionString = System.Text.ASCIIEncoding.ASCII.GetString(b);
return
decryptedConnectionString;
}
|
Explanation of the Code:
1) First we get the byte
representation of the connection string. You can see that we are retrieving the
encrypted connection string from the web.config file.
2) Later we decrypt the connection
string using the same method that we first used to encrypt it. And finally we
returned the decrypted connection string to the caller.
There are many more complex
algorithms that you can use to encrypt and decrypted the connection strings. But
this is surely one of the most simple encryption and decryption algorithms.
Making secure
authentication:
Let's now talk about making a
secure authentication. First let's see what we mean by bad authentication. For
this purpose we will make a simple login page which consists of username and the
password. Your user interface will look something like this:
As, you can see this is a simple
login page with two textboxes, two labels and a login button. Lets see some bad
login code:
|
// This is the login button click code
private void Button1_Click(object
sender, System.EventArgs e)
{
if(txtUserName.Text
== "john" && txtPassword.Text == "doe")
{
// print the message welcome
to the website.
}
else
{
// print the message. you
are not authorized to visit this website
}
}
|
This is the absolute worst login
code. The developer has hardcode the username and the password in the
presentation layer file. This not only gives the direct interaction of the user
to the business logic but this code is also very hard to maintain. Suppose, in 2
weeks some new users have registered for this website. Now you have to go back
to the file and edit the if-else checks. If you have 100 users you will have 100
if-else checks which is the worst scenario.
Let's see a some important points
to make a better login page:
1) You must validate the input of
the user. If the fields are necessary it should be check at the interface level
using the required field validator web controls provided by the Microsoft.net
framework.
2) If you are checking
authentication of the users its always a good idea to store the users in the
database rather than hard code it in the file.
3) Always check for the SQL
Injections. Users can put anything in the textbox that can make your application
crash. All the dangerous user input much be catch.
4) Never and never give the user
ability to directly communicate with the business logic. Also always store the
business logic in a separate class files.
5) If you are planning to use the
Login control on each and every page of you application it's a better idea to
make the login control as a User Control in this way you can easily modify it
without having to go to all the pages.
6) Finally, don't give too much
information to the user. What I mean to say is that if the users enters the
wrong password don't tell him that the password is 6 digits long and its your
favorite pet name. Always give the message which is to the point like "Invalid
password".
I hope you liked the article happy
coding !
Attachments:
Project Files: Security_connectionstring_azam.zip
About the Author:
Mohammad Azam is currently completing his
bachelors in Computer Science from University of Houston. Mohammad Azam is always seeking freelance
projects to work. Currently he is also seeking Summer 2005 Internship. If any
one interested you can contact him at
azamsharp@gmail.com.
If you have further questions please email Azam
at azamsharp@gmail.com