解密/加密 ASP.NET 中 web.config 中的连接字符串
我在 web.config 中有一个自定义加密的连接字符串。
我想在应用程序启动期间对其进行解密(第一页是基于母版页的登录页面。登录凭据使用加密的连接字符串进行验证),并且它必须 在应用程序关闭之前进行加密 - 通过任何方式 - 正常关闭或应用程序错误。
我尝试使用 Global.asax 来实现,但由于对 web.config 的任何更改都会重新启动应用程序,因此它进入了循环,因此放弃了此方法。
请注意,我不想要 ASP.NET 提供的默认配置加密,因为我使用自定义配置加密。
虽然在启动期间很容易解密连接字符串,但真的有办法在应用程序关闭期间再次加密吗?
非常感谢!
I have a connection string in web.config which custom-encrypted.
I would like to decrypt this during application start (the first page is Login page which is based on a Master page. The login credentials are verified using the encrypted connection string) and it must be encrypted before application closes - by whatever way - either normal close or application error.
I tried to implement using Global.asax but since any changes to web.config restarts application, it went into a loop and hence gave up this method.
Please note that I do not want the default configuration encryption provided by ASP.NET as I use a custom one.
While it is easy to decrypt the connection string during startup, is there really any way to encrypt again during application close?
Many thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我将冒着这个风险作为答案,因为我无法真正看到您所描述的内容的必要性:
如果应用程序启动时连接字符串已在 web.config *_you_dont_need_to_decrypt_it* 中加密,您只需每次实例化数据库连接时都对其进行解密。相信我,即使您每次打开连接时都解密连接字符串,其性能也可以忽略不计。但是假设您是一个性能狂,并且只想解密一次并放入会话中(坏主意,但这似乎就是您正在做的事情),那么就没有什么可担心的,我将在下面的第 3 点中解释。
假设您解密一次(Application_Start,您有什么),为什么您说您需要在应用程序关闭之前再次加密它 - 无论以何种方式 - 正常关闭或应用程序错误。 ?连接字符串不通过线路传输,它是在服务器端使用的,以便实例化与数据库的连接,但它不是其他人可以做到的通过使用应用程序查看,当然,除非您将其存储在 ViewState 中,但这将是非常愚蠢的。假设
您提到您在 Session 中存储了某些内容,但并不能 100% 清楚您是指连接字符串还是其他内容。假设它是连接字符串(同样,我想不出一个有效的原因。如果有的话,我很抱歉。)它不是任何用户都可以看到的东西,因为会话只不过是服务器上的内存字节 /强>。这同样适用于缓存。
所以,就是这样。
您解密连接字符串,实例化您的连接,执行您的操作并关闭连接。连接字符串可以在 web.config 中永久保持加密状态;未受影响。
更新
由于 OP 使用会员资格提供程序,解决方案是实现您自己的会员资格提供程序。您可以通过以下链接从 Microsoft 下载演示如何执行此操作的示例项目: http://download.microsoft.com/download/a/b/3/ab3c284b-dc9a-473d-b7e3-33bacfcc8e98/ProviderToolkitSamples.msi
查看
SQLConnectionHelper.cs类。
这里是另一篇文章几乎完全满足了您的需求。
更新 2
这是使用反射执行相同操作的另一种方法。称之为黑客,但它似乎完成了这项工作:
在
Global.asax
的Application_PreRequestHandler
内部调用此方法,其中connectionString
是您的连接字符串已解密:来源。
I am going to risk this as an answer because I can't really see the need for what you describe:
If the connection string is already encrypted in the web.config *_you_don't_need_to_decrypt_it* when the application starts, you just decrypt it every time you instantiate a database connection. Believe me, the performance of decrypting the connection string is negligible even if you do it every time you open a connection. But assuming you are a performance freak and you only want to decrypt it once and put in Session (bad idea, but it appears that that's what you are doing), there's nothing to worry about as I will explain in point 3 below.
Supposing that you decrypt it once (Application_Start, what have you), why do you say that you need to encrypt it again
before application closes - by whatever way - either normal close or application error.
? The connection string is not transferred over the wire, it's something that it's used on the server side in order to instantiate a connection to the database but it is not something that someone can see by using the application, unless of course, you store it in ViewState but that would be very silly.You mentioned that you store something in Session although is not 100% clear whether you are referring to the connection string or something else. Assuming it is the connection string (again, I can't think of a valid reason for this. I apologize if there's one.) it's not something that any user can see since Session is nothing but memory bytes on the server. The same applies for Cache.
So, that's that.
You decrypt the connection string, instantiate your connection, do your thing and close the connection. The connection string can stay encrypted in web.config for ever; untouched.
UPDATE
Since the OP is using the Membership provider, the solution is to implement your own Membership provider. You can download a sample project demonstrating how to do this from Microsoft at the following link: http://download.microsoft.com/download/a/b/3/ab3c284b-dc9a-473d-b7e3-33bacfcc8e98/ProviderToolkitSamples.msi
Look at the
SQLConnectionHelper.cs
class.Here's another post doing pretty much exactly what you need.
UPDATE 2
Here's another way to do the same thing using Reflection. Call it a hack, but it seems to do the job:
Inside
Application_PreRequestHandler
inGlobal.asax
call this method, whereconnectionString
is your connection string already decrypted:Source.