I currently have a database in MS SQL2008 which is accessed via a VB2010.net app on a Local Area network. The password for the database is hardcoded within app.config file in the program. However I want to transfer the database out to the web. To that end I have set up virtual server to host the database and transferred a copy of the database with some dummy data to the site. I have written an ASP 3.5 app to login to that test database. The ASP app lets me have a secure user login via authentication within the web.config file. (SHA1). Works fine and brings me back a selection of records to a gridview. I can also make the connection from the VB2008 LAN app. However, I can not figure out how to make this latter a secure connection as is the case with the ASP program. Note: the VB2010 type app is required as it has a large number of modules for speedy data entry, etc. which will not be incorporated wtihin the web app.
Thanks for the reply. The reason I have not went with a full port over to ASP is speed. I cannot even remotely get the speed with ASP as I can with a Winform. The database has some 110,000 names and address details, as well as other information. A payments, table has over 3million records. At the moment in the Winform app the search module fills a grid picklist with names and other details after the second character of a surname and keeps refining it as each further character is typed. There is vitually no lag time. However, using asp (with and without AJAX) there is a very noticable time lag. This lag would be more than tolerable on a new site. However, the users (50-60) have become used to having the speed of previously having a 1GB lan connection to the server.
Mitigating lag on type-ahead searching is very doable. That said, don't fix what ain't broke...
If they're all coming on on the same network does that mean they're authenticated to AD at the time? I could just drop them all in to a role on SQL Server and give them connection strings with integrated security. Otherwise, it's pretty easy to switch from connectionStrings to an appSettings entry and then use your own encryption method to deal with de/encrypting the string. Wrap it up in a ConfigHelper type deal that accepts an appKey and returns the plain text connection string. It's pretty painless.
Note damn near anything other than integrated security will fail to a determined hacker with reasonable tools. If your code knows how to decrypt it, so does anyone who disassembles your code.