How to use web.config as credential store with Forms Authentication in ASP.NET

This ASP.NET Security tutorial explains how to use web.config as credential store with Forms Authentication in ASP.NET.

When using forms authentication, you can decide where to store credentials for the users. You can store them in a custom file or in a database i.e. credential store. The easiest place to store credentials is directly in the web.config file through the <credentials /> subelement of the <forms /> configuration tag introduced in the article How to configure Forms Authentication in ASP.NET.

<authentication mode=”Forms”>

<!– Detailed configuration options –>

<forms name=”MyCookieName”

loginUrl=”DbLogin.aspx”

timeout=”20″>

<credentials passwordFormat=”Clear”>

<user name=”Admin” password=”(A&3_4**5qW)”/>

<user name=”Tom” password=”YcagWyw”/>

<user name=”Jerry” password=”T@#o$oC”/>

</credentials>

</forms>

</authentication>

 

Note: You can use web.config as a credential store for simple solutions with just a few users only. You can hash password values for credentials stored in the web.config file. Hashing is nothing more than applying one-way encryption to the password. This means the password will be encrypted in a way that it can’t be decrypted anymore.