In this article we will go through the Web Configuration file. We will take a look at important configuration settings that resides in the Web.Config file.


What is Web.Config File?

Web.config file, as it sounds like is a configuration file for the Asp .net web application. An Asp .net application can have single as well as multiple configuration files which keeps the configuration required for the corresponding application. Web.config file is written in XML with specific tags having specific meanings.

What is Machine.config File?

   Web.config file is used to configure one asp .net web application, same way Machine.config file is used to configure the application according to a particular machine. That is, configuration done in machine.config file is affected on any application that runs on a particular machine. Usually, this file is not altered and only web.config is used which configuring applications.

What can be stored in Web.config file?

There are number of important settings that can be stored in the configuration file. Here are some of the most frequently used configurations, stored conveniently inside web.config file.

  1. Database connections
  2. Session States
  3. Error Handling
  4. Security

Database Connections:

   The most important configuration data that can be stored inside the web.config file is the database connection string. Storing the connection string in the web.config file makes sense, since any modifications to the database configurations can be maintained at a single location. Otherwise we'll have to keep it either as a class level variable in all the associated source files or probably keep it in another class as a public static variable.

   Connection string stored in web.config file can be read and used anywhere in the application. This will certainly save us a lot of alteration in different files where we used the old connection.

Lets see a small example of the connection string which is stored in the web.config file.



     <add key="ConnectionString"

          value="server=localhost;uid=sa;pwd=;database=DBPerson" />



   As you can see it is really simple to store the connection string in the web.config file. The connection string is referenced by a key which in this case is "ConnectionString". The value attribute of the configuration file denotes the information about the database. Here we can see that it has database name, userid and password. You can define more options if you want.

Never store your username and password in clear text in the configuration file. Always always always encrypt it. For encrypting the connection string check out my article Securing Connection Strings.

There is a very good website that deals with all sorts of connection strings. Its called , in the website you will find the connection strings for most of the databases.

Lets see how we access the connection string from our Asp .net web application. 

using System.Configuration;

string connectionString = (string )ConfigurationSettings.AppSettings["ConnectionString"];

The small code snippet above is all that is needed to access the value stored inside the Web.config file.

Session States:

   Session in web application is very important. As we know that HTTP is a stateless protocol and we need session to keep the state alive. stores the sessions in different ways. By default the session is stored in the process. You can always configure the application so that the session will be stored in one of the following ways.

1) Session State Service

   There are two main advantages of using the State Service. First the state service is not running in the same process as the asp .net application. So even if the asp .net application crashes the sessions will not be destroyed. Another advantage is sharing the state information across a Web garden (Multiple processors for the same computer).

Lets see a small example of the Session State Service.

<sessionState mode="StateServer" stateConnectionString="tcpip=" sqlConnectionString="data source=;user id=sa;password='' cookieless="false" timeout="20"/>

Never store your username and password in clear text in the configuration file. Always always always encrypt it. For encrypting the connection string check out my article Securing Connection Strings.

The attributes are self explanatory but I will go over them.

mode: This can be StateServer or SqlServer. Since we are using StateServer we set the mode to StateServer.

stateConnectionString: connectionString that is used to locate the State Service. 

sqlConnectionString: The connection String of the sql server database.

cookieless: Cookieless equal to false means that we will be using cookies to store the session on the client side.  


2) SQL Server  

The final choice to save the session information is using the Sql Server 2000 database. To use Sql Server for storing session state you need to do the following:

1) Run the InstallSqlState.sql script on the Microsoft SQL Server where you intend to store the session.

You web.config settings will look something like this:

<sessionState mode = "SqlServer" stateConnectionString="tcpip=" sqlConnectionString="data source="SERVERNAME;user id=sa;password='' cookiesless="false" timeout="20"/>

Never store your username and password in clear text in the configuration file. Always always always encrypt it. For encrypting the connection string check out my article Securing Connection Strings.

SQL Server lets you share session state among the processors in a Web garden or the servers in a Web farm. Apart from that you also get additional space to store the session. And after that you can take various actions on the session stored.

The downside is SQL Server is slow as compared to storing session in the state in process. And also SQL Server cost too much for a small company.

3) InProc:

  This is another Session State. This one is mostly used for development purposes. The biggest advantage of using this approach is the applications will run faster when compared to other Session state types. But the disadvantage is Sessions are not stored when there is any problem that occurs with the application, when there is a small change in the files etc., Also there could be frequent loss of session data experienced.. 

To learn more about Sessions check out Patrick Y.Ng article Session State FAQ. 

Error Handling: 

Error handling is one of the most important part of any web application. Each error has to be caught and suitable action has to be taken to resolve that problem. web.config file lets us configure, what to do when an error occurs in our application.

Check the following xml tag in the web.config file that deals with errors:

<customErrors mode = "On">

<error statusCode = "404" redirect = "errorPage.aspx" />


This tells the to display custom errors from a remote client or a local client and to display a page named errorPage.aspx. Error "404" is "Page not found" error.

If custom error mode is turned "off" than you will see default error message. This error messages are good for debugging purposes but should never be exposed to the users. The users should always be presented with friendly errors if any.


The most critical aspect of any application is the security. offers many different types of security method which can be used depending upon the condition and type of security you need.

1) No Authentication: 

No Authentication means "No Authentication" :) , meaning that will not implement any type of security.

2) Windows Authentication:

The Windows authentication allows us to use the windows user accounts. This provider uses IIS to perform the actual authentication, and then passes the authenticated identity to your code. If you like to see that what windows user is using the application you can use:


This returns the DOMAIN\UserName of the current user of the local machine.

3) Passport Authentication:

Passport Authentication provider uses Microsoft's Passport service to authenticate users. You need to purchase this service in order to use it.

4) Forms Authentication:

Forms Authentication uses HTML forms to collect the user information and than it takes required actions on those HTML collected values.

In order to use Forms Authentication you must set the Anonymous Access checkbox checked. Now we need that whenever user tries to run the application he/she will be redirected to the login page.

<authentication mode="Forms">

<forms loginUrl = "frmLogin.aspx" name="3345C" timeout="1"/>



<deny users="?" />


As you can see we set the Authentication mode to "Forms". The forms loginUrl is the first page being displayed when the application is run by any user.

The authorization tags has the deny users element which contains "?", this means that full access will be given to the authenticated users and none access will be given to the unauthenticated users. You can replace "?" with "*" meaning that all access is given to all the users no matter what.

Final Words: 

As you have seen that Web.config file plays a very important role in the over all application. There are a lot more features that I have not discussed which includes caching. Try using web.config file when you need to configure the overall application.