You use Microsoft Visual Studio 2010 and Microsoft .NET Framework 4 to create an application.The application connects to a Microsoft SQL Server 2008 database. The application uses a Microsoft ADO.NET SQL Server managed provider.When a connection fails, the application logs connection information, including the full connection string.The information is stored as plain text in a .config file.
You need to ensure that the database credentials are secure.
Which connection string should you add to the .config file?
A.Data Source=myServerAddress; Initial Catalog=myDataBase; Integrated Security=SSPI; Persist Security Info=false;
B.Data Source=myServerAddress; Initial Catalog=myDataBase; Integrated Security=SSPI; Persist Security Info=true;
C.Data Source=myServerAddress; Initial Catalog=myDataBase; User Id = myUsername; Password = myPassword; Persist Security Info=false;
D.Data Source=myServerAddress; Initial Catalog=myDataBase; User Id = myUsername; Password = myPassword; Persist Security Info=true;
According to the guide, the answer is 'A'. But in my opinion, the Answer is 'C'. If we are using Integrated Security = SSPI, we don't need to supply UserID and Password. So, Persist Security Info=false has no effect.
As far as I know, Persist Security Info only takes effect if the connection string has User Credentials.
Could you please advise me which one is correct? Thanks.
Setting Persist Security Info to true or yes allows security-sensitive information, including the user ID and password, to be obtained from a connection after it has been opened.
The best way to secure the database connection string is to encrypt the value within the configuration file. The application would then load the encrypted value from the config file, decrypt the value, and then use the decrypted value as the connection string to connect to the database.
Connection strings can be stored as key/value pairs in the connectionStrings section of the configuration element of an application configuration file.
NO - trusted_connection=true means Windows Authentication and Windows Authentication requires trusted_Connection=true. If you specify "trusted_connection=True" ==> you have Windows Authentication; if you don't specify it, you don't have Windows Authentication. – marc_s.
You are right. Persist Security Info=false has effect only if user name and password provided in connection string. But question is "What should you store in .config file" and considering that "information is stored as plain text" you should not store UID and PWD in config file. If you store C, PWD and UID can be extracted from .config file. But if you store A, there is no credentials to extract.
I'm not sure, why A has "Persist Security Info=false", but looks like it is a good practice.
See MSDN examples:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With