passing passwords

Results 1 to 2 of 2

Thread: passing passwords

  1. #1
    Join Date
    Dec 1969

    Default passing passwords

    I have asp pages that connect to a database. I was told to put the connection_string within an application variable in the global.asa file. If this is done and a pwd is in that string, will users have the ability to view those application and session variables "somehow"? <BR>Are these secure variables or is there a better way to assign the connection_string which will be used in multiple pages. The site will use ssl only (if that matters).<BR>Thanks

  2. #2
    Join Date
    Dec 1969

    Default SSL doesn't matter

    As long as you properly trap errors whenever you make the connection, you are in good shape. In certain instances, you may get an error returned that "may" contain all or portions of the connection string should a failed connection occur.<BR><BR>It is fairly common practice to put db connection strings in an application variable in classic ASP. As long as you are up to date with service packs for Win2k, noone from outside the server can read the global.asa. There was an old, old, bug in IIS that would display the contents of the global.asa. If you are running SP2 or above, I believe that takes care of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts