Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encrypting Redis Connection String in ASP.NET Web Forms Application #224

Open
sureshgmail opened this issue Jun 21, 2024 · 0 comments
Open

Comments

@sureshgmail
Copy link

I am using a legacy ASP.NET Web Forms application. For session state management, I am utilizing "Microsoft.Web.RedisSessionStateProvider" version 5.0.4 to connect to my on-premises Redis instance. The connection string is specified in the web.config file, and I am successfully able to establish a connection and save/retrieve session data from Redis.

Below is the connection string I'm using to connect to the Redis Instance

<sessionState mode="Custom" customProvider="MySessionStateStore">
  <providers>
    <add name="MySessionStateStore" type="Microsoft.Web.Redis.RedisSessionStateProvider" 
           connectionString="RedisServerName:Port,password=mypassword,ssl=True,sslProtocols=Tls12" />
  </providers>
</sessionState>

Issue
The connection string currently includes the password in plain text, which is visible to anyone with access to the web.config file. This exposes a security risk as the password is not encrypted.

Objective
I need a way to encrypt the entire connection string in the web.config file so that the password is not exposed in plain text.

Considerations

  • Current Configuration: I have achieved switching the session store to Redis without any code changes, solely by modifying the web.config file.
  • Impact of Encryption: If the connection string is encrypted, will it necessitate code changes or the development of a custom session state provider?

Request

  • Provide a solution or best practice to encrypt the connection string in the web.config file.
  • Clarify if encryption will require modifications to the existing code or the implementation of a custom session state provider.

Thank you for your assistance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant