The Web.config file is the primary configuration file. There can be more than one web.config files in an application.
Major sections of web.config files are:
This element is used to verify the client's identity when the client requests a page from the server. This is set at the application level. We have four types of authentication modes: “None”, “Windows”, “Forms”, and “Passport”.
None is used If we don't need any authentication
Forms authentication uses web application forms to collect user credentials, and on the basis of the credential, it takes action on a web application.
Windows authentication is used usually. This authentication is handled by IIS. When the user sends a request to the server, IIS authenticates it and sends the authentication identity to the code.
Passport authentication is provided by Microsoft. A redirect URL should be specified, and is used when the requested page is not authenticated, and then it redirects to this URL.
The <authorization> tag controls client access to web page resources. This element can be declared at any level (machine, site, application, subdirectory, or page).
It uses two tags: <allow> and <deny>
<allow users = "*" />
<allow users = "?" />
<allow users = "ramesh, suresh, dinesh" />
<allow roles = "Administrator, Supervisor" />
<deny users = "*" />
<deny users = "?" />
<deny users = "ramesh, suresh, dinesh" />
<deny roles = "Administrator, Supervisor" />
In this section, we can configure the settings of the compiler. Here, we can have lots of attributes, but the most common ones are debug and defaultLanguage. Setting debug to true means we want the debugging information in the browser, but it has a performance tradeoff, so normally, it is set as false. And, defaultLanguage tells ASP.NET which language compiler to use: VB or C#.
This tags includes the error settings for the application, and is used to give custom error pages (user-friendly error pages) to end users. In the case that an error occurs, the website is redirected to the default URL. For enabling and disabling custom errors, we need to specify the mode attribute. Mode can be On, Off or RemoteOnly.
As the name suggests, it is used for tracing the execution of an application. We have here two levels of tracing: page level and application level.
For enabling trace at page level, set Trace="True" in the Page tag (on the top of the page).
For enabling trace at application level, set it on web.config.
In this section, we tell ASP.NET where to store the session. By default, it's inproc which means storing the session values on the server. But we have four options:
"Off" means session is not enabled for the application.
"inproc" means storing the session values on the server.
"StateServer" means session states are stored in a remote server.
"SQLServer" means session states are stored in a SQL Server database.
For this, we need to install the InstallSQLState.sql script in the SQL Server database. It is mainly used when the we use web farms (an application deployed on multiple servers), but it makes the performance slow as compared to "inproc".
Here are the other settings:
"cookieless" when it is true, it means the session used is without cookies.
“timeout” specifies after how much time the session would expire if the application is not accessed during that period.
"stateConnectionString" needs to be specified when the session mode is StateServer.
"sqlConnectionString" is the connection string of the SQL Server database if the session mode is sqlserver.
"stateNetworkTimeout" attribute, when using the StateServer mode to store session state, specifies the number of seconds the TCP/IP network connection between the web server and the state server can be idle before the session is abandoned. The default is 10.
This section is used to store custom application configuration like database connection strings, file paths etc. This also can be used for custom application-wide constants to store information over multiple pages. It is based on the requirements of the application.