ASP. NET web. config configuration node details
- 2021-08-03 09:52:44
- OfStack
web. config file lookup rules:
(1) If the web. config file exists in the directory where the current page is located, check whether the node name you want to find exists, and if so, return the result and stop the search.
(2) If the web. config file does not exist in the current page directory or the node name does not exist in the web. config file, look for its parent directory until the root directory of the website.
(3) Look in% windir% "Microsoft. NET" Framework "v 2.0. 50727" CONFIG "web. config if the file web. config does not exist in the root directory of the Web site or the node name does not exist in the file web. config.
(4) If the corresponding node does not exist in the% windir% "Microsoft. NET" Framework "v2.0. 50727" CONFIG "web. config file, look in the% windir%" Microsoft. NET "Framework" v2.0. 50727 "CONFIG" machine. config file.
(5) If still not found, return null.
While the asp. net application is running, changes to the web. config file will cause the corresponding application to restart, and the user session information stored in server memory will be lost (such as Session stored in memory).
(1) appSetings configuration node
< appSettings > Node is mainly used to store some configuration information of asp. net application, such as the save path of uploaded files, etc.
<appSettings>
<add key="ImageType" value=".jpg;.bmp;.gif;.png;.jpeg"/> <!-- Types of picture formats allowed for uploading -->
</appSettings>
string fileType=ConfigurationManager.AppSettings["FileType "];
(2)
<
connectionStrings
>
Node
< connectionStrings > Node is mainly used to configure database connections, and we can < connectionStrings > Add any node to the node to save the database connection string, In the future, the database connection object will be instantiated by dynamically obtaining the node value in the code, so that we only need to change the configuration here when the database connection information changes during deployment, and we don't need to change the program code and redeploy because of the change of database connection information
<connectionStrings>
<add name="AspNetStudyConnectionString1" connectionString="Data Source=(local);Initial Catalog=AspNetStudy;User ID=sa;Password=sa"/>
</connectionString>
string connectionString = ConfigurationManager.ConnectionStrings["AspNetStudyConnectionString1"].ConnectionString;(3) < compilation > Node
< compilation > Node configures all compilation settings used by ASP. NET. The default debug attribute is "true", which allows debugging. In this case, the performance of the website will be affected, so it should be set to "false" after the program is compiled and delivered for use.
(4)
<
authentication
>
Node
Set the asp. net authentication mode. There are four authentication modes with the following values:
Windows uses Windows authentication for domain users or LAN users.
Forms uses forms authentication and relies on website developers for authentication.
Passport uses authentication services provided by Microsoft for authentication.
None does not perform any authentication.
(5) < customErrors > Node
<
customErrors
>
Node is used to define information for customizing error messages. This node has two attributes, Mode and defaultRedirect, where the defaultRedirect attribute is an optional attribute that represents the default URL to which the application redirects when an error occurs, and displays a generic error if it is not specified. The Mode attribute is a required attribute and has three possible values, which represent the following meanings:
On means that both local and remote users see custom error messages.
Off disables custom error messages, and both local and remote users see detailed error messages.
RemoteOnly means that local users will see detailed error messages, while remote users will see custom error messages.
It is necessary to explain the concepts of local user and remote user under 1. We become local users when the machine used to access the asp. net application and the machine used to publish the asp. net application are the same machine, otherwise we are called remote users. In order to find errors in the development and debugging stage, it is recommended to set the Mode attribute to Off, while in the deployment stage, the Mode attribute should be set to On or RemoteOnly, so as to avoid these detailed error messages exposing the details of the program code and attracting hackers to invade.
(6) < error > Child node
In < customErrors > The node also contains < error > Child node, this node is mainly redirected to our custom error page according to the HTTP error status code of the server, pay attention to make < error > Child node, you must set the < customErrors > Node the Mode property of the node is set to "On". Here's an example:
<customErrors mode="On" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="403.htm" />
<error statusCode="404" redirect="404.htm" />
</customErrors>(7) < httpHandlers > Node
< httpHandlers > The node is used to pass the user's request to the corresponding handler based on the URL and HTTP predicates of the user's request. You can configure this node at any level of the configuration level, that is, you can do special processing for special files specified in a specific directory.
<httpHandlers>
<add path="*.rules" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.xoml" verb="*" type="System.ServiceModel.Activation.HttpHandler, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false"/>
<add path="trace.axd" verb="*" type="System.Web.Handlers.TraceHandler" validate="true"/>
<add path="WebResource.axd" verb="GET" type="System.Web.Handlers.AssemblyResourceLoader" validate="true"/>
<add path="*.axd" verb="*" type="System.Web.HttpNotFoundHandler" validate="true"/>
<add path="*.aspx" verb="*" type="System.Web.UI.PageHandlerFactory" validate="true"/>
<add path="*.ashx" verb="*" type="System.Web.UI.SimpleHandlerFactory" validate="true"/>
<add path="*.asmx" verb="*" type="System.Web.Services.Protocols.WebServiceHandlerFactory, System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" validate="false"/>
<add path="*.rem" verb="*" type="System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory, System.Runtime.Remoting, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false"/>
<add path="*.soap" verb="*" type="System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory, System.Runtime.Remoting, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false"/>
<add path="*.asax" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.ascx" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.master" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.skin" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.browser" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.sitemap" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.dll.config" verb="GET,HEAD" type="System.Web.StaticFileHandler" validate="true"/>
<add path="*.exe.config" verb="GET,HEAD" type="System.Web.StaticFileHandler" validate="true"/>
<add path="*.config" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.cs" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.csproj" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.vb" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.vbproj" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.webinfo" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.licx" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.resx" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.resources" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.mdb" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.vjsproj" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.java" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.jsl" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.ldb" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.ad" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.dd" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.ldd" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.sd" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.cd" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.adprototype" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.lddprototype" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.sdm" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.sdmDocument" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.mdf" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.ldf" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.exclude" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.refresh" verb="*" type="System.Web.HttpForbiddenHandler" validate="true"/>
<add path="*.svc" verb="*" type="System.ServiceModel.Activation.HttpHandler, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" validate="false"/>
<add path="*" verb="GET,HEAD,POST" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="*" verb="*" type="System.Web.HttpMethodNotAllowedHandler" validate="true"/>
</httpHandlers>
As you can see from the above configuration, Get or Post requests for *. mdf, *. ldf files are sent to System. Web. HttpForbiddenHandler for processing, and the result of processing is that the user cannot view or download the related files. If we do not allow users to download files under a folder or a certain type of files, we can
<
/httpHandlers
>
Add the corresponding child node to the node.
Let's take an example to illustrate
<
httpHandlers
>
Node, create an IPData directory in our asp. net application, create an IPData. txt file in the IPData directory, and then add the following configuration in Web. config:
<httpHandlers>
<add path="IPData/*.txt" verb="*" type="System.Web.HttpForbiddenHandler"/>
</httpHandlers>(9) < httpRuntime > Node
<
httpRuntime
>
Node is used to set up the ASP. NET HTTP runtime. This section can be declared at the computer, site, application, and subdirectory levels.
For example, the following configuration controls the user to upload a maximum file of 40M (40*1024K), a maximum timeout of 60 seconds, and a maximum of 100 concurrent requests
<httpRuntime maxRequestLength="40960" executionTimeout="60" appRequestQueueLimit="100"/>(10) < pages > Node
<
pages
>
Node is used to represent settings for a specific page, and has three main attributes, as follows:
Whether buffer has HTTP response buffering enabled.
Whether enableViewStateMac should run a computer authentication check (MAC) on the page's view state to place user tampering, defaults to false, and if set to true will cause performance degradation.
Whether validateRequest verifies cross-site scripting attacks and SQL injection vulnerability attacks in user input, the default is true, and an HttpRequestValidationException exception will be issued if a match occurs. Set this property to false for self-validating user input for pages 1 that contain online text editors.
<pages buffer="true" enableViewStateMac="true" validateRequest="false"/>
(101) < sessionState > Node
< sessionState > Node is used to configure the session state configuration of the current asp. net application. Here is a common configuration:
<sessionState cookieless="false" mode="InProc" timeout="30" />
The node configuration above is set to enable Cookie in the asp. net application and specifies the session state mode to save session state in the process, and also specifies a session timeout of 30 minutes.
<
sessionState
>
The Mode attribute of a node can be one of the following values:
Custom uses custom data to store session state data.
InProc default. The session state data is stored by the asp. net worker process.
Off disables session state.
SQLServer uses an out-of-process SQL Server database to hold session state data.
StateServer uses the out-of-process ASP. NET state service to store state information.
1. By default, InProc mode is used to store session state data. The advantage of this mode is fast access speed, but the disadvantage is that it takes up memory, so it is not suitable to store large user session data in this mode
(102) < globalization > Node
Used to configure globalization settings for applications. This node has several important attributes, as follows:
fileEncoding optional properties. Sets the storage encoding for. aspx,. asmx, and. asax files.
requestEncoding optional properties. Set the encoding of the client request, which defaults to UTF-8.
responseEncoding optional properties. Set the encoding of the server-side response, which defaults to UTF-8.
The following is the default configuration in the asp. net application:
string fileType=ConfigurationManager.AppSettings["FileType "];(103) web. config file reading and writing
string fileType=ConfigurationManager.AppSettings["FileType "];