The Web.config is an XML based configuration file for the entire application and resides in the application root. It provides the application wide settings for the entire application. The Machine.config located at the "C:\WINDOWS\Microsoft.NET\Framework\vx.x.xxxx\CONFIG" directory, is used to apply configuration settings for any applications that are running in the entire system. In my system with .NET Framework 1.1 installed, it is located at the "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG" directory. This article discusses both and shows how we can use them in our applications. Note that I have discussed the most important sections in these files. I would request the readers to refer other reference materials for a complete reference on these files.

The XML based web.config file is used to specify the application wide settings for your entire application. The system wide settings are however stored in the machine.config file. There can be multiple config files in your application (one per each folder in your application) but only one machine.config file. Note that the settings specified in the Web.config file actually override the settings that are specified in the Machine.config file.

When you create a new blank solution and select ASP.NET web application, the solution is created with a web.config file at the application's root. The web.config file is present in the root of the application's directory, although you can also have multiple web.config files, one for each subdirectory. Typically, the layout of the web.config file is as follows.

Listing 1

<configuration> 
 <system.web> 
 <!— Specify your Compilation, Custom Error, Authentication, Authorization, etc sections here -->    
 </system.web> 
 <appSettings> 
 <!— Specify the Database connection string, File path, Server Name and other Custom Settings here -->    
 </appSettings > 
</configuration>

You can use the <pages> section of the <system.web> section group to specify whether session and/or view state would be enabled or disabled for the web pages of the application. Refer to the code snippet below.

Listing 2

<configuration>
    <system.web>
        <pages enableSessionState="true" />
    </system.web>
</configuration>

The default language attribute of the compilation section is used to specify the language compiler that would be used. The authentication and authorization sections in the web.config file allow you to specify the authentication mode applicable for your application and the authorization information for the authenticated users. You can have the following three types of authentication modes in ASP.NET.

·         Forms Authentication

·         Windows authentication

·         Passport authentication

You can specify the authentication mode as shown below.

Listing 3

<authentication mode="Windows" />

You can specify the authorization information for users as shown below.

Listing 4

<authorization> 
  <allow roles="Users" /> 
  <deny users="*" /> 
</authorization>

You can also specify the trace and globalization information using the respective sections in the web.config file. The following code snippet illustrates how you can specify the trace information in the web.config file.

Listing 5

<trace enabled="true" localOnly="true" pageOutput="false" /> 

You can specify the globalization information as shown in the code snippet below.

Listing 6

<globalization requestEncoding="utf-8" responseEncoding="utf-8" culture="en-GB" />

You can specify the application wide error information using the <customErrors> section. The following is an example of how you can use this section to specify the application wide error information.

Listing 7

<customErrors mode="On">
<error statusCode="404" redirect="FileUnavailable.aspx"/>
</customErrors>

You can impersonate a user using the <identity impersonate> section of the web.config file as shown below.

Listing 8

<identity impersonate="true" userName="joydip" password="joydip"/> 

Please refer to my article on Authentication and Authorization in ASP.NET for more information on impersonation.

Further, you can use the <sessionState> section of the web.config file to specify the session state storage mode (InProc, OutProc, StateServer, SqlServer) that would be used. Refer to the code snippet below that illustrates how you can specify the session state storage mode in the <sessionState> section of the web.config file.

Listing 9

<sessionState mode="InProc" />

The <appSettings> section is the most widely used of all the sections in the web.config file and it typically stores the following.

·         Database Connection Strings

·         Server Name

·         File Path

·         Custom Key - Value Settings

You can also specify an external configuration file in the web.config file as shown below.

Listing 10

<appSettings file="externalSettings.config"/>

The database connection string is specified in the <appSettings> section as shown below.

Listing 11

<add key="databaseConnectionString" value="server=(localhost);database=test;
         uid=sa;pwd=sa"/>

However, with ASP.NET 2.0, you can use the new <connectionStrings> section to store your connection strings. Refer to the code snippet below.

Listing 12

<connectionStrings>
    <add name ="Test"
         connectionString ="server=(localhost);database=test;
         uid=sa;pwd=sa"/>
</connectionStrings>

You can specify custom application - wide settings using the <appSettings> section of the web.config file as shown below.

Listing 13

<appSettings>
    <add key="key" value ="value"/>
</appSettings >

You can also add a new configuration section using the <configSections> section. This is illustrated below.

Listing 14

<configuration>
    <configSections>
        <section name="TestSection" type="Test.TestSettings" />
    </configSections>    
</configuration>

The machine.config located at the "C:\WINDOWS\Microsoft.NET\Framework\vx.x.xxxx\CONFIG" directory, is used to apply configuration settings for all the applications in the entire system. In ASP.NET 2.0 you have a backup of machine.config file as well. Here, the machine.config files available are machine.config, machine.config.comments and machine.config.default. Out of the numerous sections in the machine.config file, the most important ones are:

·         processModel

·         sessionState

·         appSettings

The processModel and the sessionState sections contain the attribute allowDefinition that can have either of the values, MachineOnly or MachineToApplication. If allowDefinition is set to MachineOnly, you cannot override the section in your application or folder level. This is because updating of the definition is restricted and remains constant for the entire system. However, if the allowDefinition attribute's value is MachineToApplication, you can override the same in your application or folder levels. Further, you can override the appSettings attribute of the machine.config file in your web.config configuration file at the application or folder levels as there is not restriction that can be applicable here.

You can control and configure the ASP.NET Worker Process using the <processModel> section of the machine.config file. You can enable or disable it and also recycle the worker process. Further, you can shut down the ASP.NET Worker Process using the idleTimeout or the shutDownTimeout attributes of the <processModel> section.

Trust Levels

Trust levels imply whether a code should be treated by the CLR as trusted. There are various trust levels in ASP.NET with specific implications for each. This section would discuss how we can modify the trust levels in the machine.config file. It should be noted that an ASP.NET web application has full trust and unrestricted permissions by default. However, you can modify this using the <trust level> section in the machine.config file. The trust level in the machine.config file can have any of the following values:

·         Full

·         High

·         Medium

·         Low

·         Minimal

The following is the syntax for using trust level in the machine.config file.

Listing 19

<trust level="Full|High|Medium|Low|Minimal" />

Refer to the code snippet that that illustrates how you can set the trust level in the machine.config file.

Listing 20

<system.web>
  <trust level="Medium" originUrl=""/>
</system.web>

Note that with ASP.NET 2.0, you can have trust levels at both the application and machine levels.

To read the web.config file, use the code snippet given below.

Listing 15

System.Configuration.Configuration wConfig = 
System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration ("/joydip");

Later, you can even save the web.config file to another location in your disk using the code snippet illustrated below.

Listing 16

mConfig.SaveAs ("C:\\wConfig.xml");

You can read the machine.config file using the code snippet shown below.

Listing 17

System.Configuration.Configuration mConfig = 
System.Web.Configuration.WebConfigurationManager.OpenMachineConfiguration ();

Later, you can even save the machine.config file to another location in your disk using the code snippet illustrated below.

Listing 18

mConfig.SaveAs ("C:\\mConfig.xml");

Understanding the Web Configuration File - Part 1

Working with more than one Web.config file

What's in ASP.NET Config Files? [MSDN]

The configuration files in ASP.NET (web.config and machine.config) are XML based and comprise of elements and their attributes. The Machine.config file contains configuration information that apply to all .NET applications for a specific version of the framework installed on the machine, whereas a Web.config file contains configuration settings that apply to a specific ASP.NET application or resource (typically a directory or a file)