What is Web.Config File?
Web.config file as it sounds like is a configuration file for the Asp.net web application. There is one web.config file for one asp.net application which configures the particular application. Web.config file is written in XML with specific tags having specific meanings.
What is Machine.config File?
As web.config file is used to configure one asp.net web application, same way Machine.config file is used to configure the application according to a particular machine. Meaning that configuration done in machine.config file is affected on any application that runs on a particular machine. Usually, this file is not altered and only web.config is used which configuring applications.
What can be stored in Web.config file?
There are number of important settings that can be stored in the configuration file. Here are some of the most important configurations.
1) Database connections
2) Session States
3) Error Handling
4) Security
Database Connections:
The most important thing to store in the web.config file is the database connection string. The reason of storing connection string in the web.config file makes sense since if later we ever want to change the location of our database we just have to change the connection string in the web.config file and thats it. This will certainly save us a lot of alteration in different files where we used the old connection.
Lets see a small example of the connection string which is stored in the web.config file.
<configuration>
<appSettings>
<add key="ConnectionString"
value="server=localhost;uid=sa;pwd=;database=DBPerson" />
</appSettings>
</configuration>
As you can see its really simple to store the connection string in the web.config file. The connection string is referenced by a key which in this case is "ConnectionString". The value attribute of the configuration file denotes the information about the database. Here we can see that if has database name, userid and password. You can define more options if you want.
There is a very good website that deals with all sorts of connection strings. Its called www.connectionstrings.com , in the website you will find the connection strings of all sorts of databases.
lets see how we access the connection string from our Asp.net web application.
using System.Configuration;
string connectionString = (string )ConfigurationSettings.AppSettings["ConnectionString"];
As you see its very simple to get the connection String out from the web.config and than use it in your application.
Session States:
Session in Asp.net web application is very important. As we know that HTTP is a stateless protocol and we needs session to keep the state alive. Asp.net stores the sessions in different ways. By default the session is stored in the asp.net process. You can always configure the application so that the session will be stored in one of the following ways.
1) Session State Service
There are two main advantages of using the State Service. First the state service is not running in the same process as the asp.net application. So even if the asp.net application crashes the sessions will not be destroyed. Any advantage is sharing the state information across a Web garden (Multiple processors for the same computer).
Lets see a small example of the Session State Service.
<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:55455" sqlConnectionString="data source=127.0.0.1;user id=sa;password='' cookieless="false" timeout="20"
/>
The attributes are self explanatory but I will go over them.
mode: This can be StateServer or SqlServer. Since we are using StateServer we set the mode to StateServer.
stateConnectionString: connectionString that is used to locate the State Service.
sqlConnectionString: The connection String of the sql server database.
cookieless: Cookieless equal to false means that we will be using cookies to store the session on the client side.
2) SQL Server
The final choice to save the session information is using the Sql Server 2000 database. To use Sql Server for storing session state you need to do the following:
1) Run the InstallSqlState.sql script on the Microsoft SQL Server where you intend to store the session.
You web.config settings will look something like this:
<sessionState mode = "SqlServer" stateConnectionString="tcpip=127.0.0.1:45565" sqlConnectionString="data source="SERVERNAME;user id=sa;password='' cookiesless="false" timeout="20"
/>
SQL Server lets you share session state among the processors in a Web garden or the servers in a Web farm. Apart from that you also get additional space to store the session. And after that you can take various actions on the session stored.
The downside is SQL Server is slow as compared to storing session in the state in process. And also SQL Server cost too much for a small company.
Error Handling:
Error handling is one of the most important part of any web application. Each error has to be caught and suitable action has to be taken to resolve that problem. Asp.net web.config file lets us configure, what to do when an error occurs in our application.
Check the following xml tag in the web.config file that deals with errors:
<customErrors mode = "On">
<error statusCode = "404" redirect = "errorPage.aspx" />
</customErrors>
This tells the Asp.net to display custom errors from a remote client or a local client and to display a page named errorPage.aspx. Error "404" is "Page not found" error.
If custom error mode is turned "off" than you will see Asp.net default error message. This error messages are good for debugging purposes but should never be exposed to the users. The users should always be presented with friendly errors if any.
Security:
The most critical aspect of any application is the security. Asp.net offers many different types of security method which can be used depending upon the condition and type of security you need.
1) No Authentication:
No Authentication means "No Authentication" :) , meaning that Asp.net will not implement any type of security.
2) Windows Authentication:
The Windows authentication allows us to use the windows user accounts. This provider uses IIS to perform the actual authentication, and then passes the authenticated identity to your code. If you like to see that what windows user is using the Asp.net application you can use:
User.Identity.Name;
This returns the DOMAIN\UserName of the current user of the local machine.
3) Passport Authentication:
Passport Authentication provider uses Microsoft's Passport service to authenticate users. You need to purchase this service in order to use it.
4) Forms Authentication:
Forms Authentication uses HTML forms to collect the user information and than it takes required actions on those HTML collected values.
In order to use Forms Authentication you must set the Anonymous Access checkbox checked. Now we need that whenever user tries to run the application he/she will be redirected to the login page.
<authentication mode="Forms">
<forms loginUrl = "frmLogin.aspx" name="3345C" timeout="1"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
As you can see we set the Authentication mode to "Forms". The forms loginUrl is the first page being displayed when the application is run by any user.
The authorization tags has the deny users element which contains "?", this means that full access will be given to the authenticated users and none access will be given to the unauthenticated users. You can replace "?" with "*" meaning that all access is given to all the users no matter what.
Final Words:
As you have seen that Web.config file plays a very important role in the over all Asp.net application. There are alot more features that I have not discussed which includes caching. Try using web.config file when you need to configure the overall application.
About the Author:
Mohammad Azam, also known as Azamsharp have been programming in .NET for 4 years. He is the author of several articles which can be viewed on his website www.azamsharp.cjb.net . Apart from the articles Azamsharp is also the Top 50 poster on Microsoft official forums (www.asp.net )
At present Azamsharp is completing his undergraduate degree in Computer Science from University of Houston and also working as a .NET consultant for cSoft Technologies.
You can reach Azamsharp at xMohammadAzamx@yahoo.com
