Web.config is an XML-formatted text file used to store globally accessible bit of information for every page of the Web application. The file has to reside in the root of the virtual directory. Through Web.config specifies settings like custom 404 error pages, authentication and authorization settings for the Web site, compilation options for the ASP.NET Web pages, if tracing should be enabled, etc.


  • At the root level is the <configuration> tag.
  • Inside the <configuration> tag there are two section group tags: the <system.web> tag and the <appSettings> tag. (See the structure of web.config file in 3.5.)
  • The <appSettings> tag specifies application-wide settings using the <add> tag.
  • The <system.web> tag contains the setting tags such as: <compilation>, <customErrors>, <authentication>, <authorization>, etc. (See all setting tags.)

      <add key="" value="" />...
      <compilation> ...
      <appSettings> ...
      </appSettings> ...

The <system.web> Tag

  • <authentication>: The authentication tag controls the type of authentication used within a Web application, as contained in the attribute mode. If the value is "None", anyone may access the application. If authentication is required, "Windows", "Forms" or "Passport" can be used to define the type of authentication. For example: <authentication mode="Windows" />
  • <authorization>: To allow or deny access to a web application to certain users or roles, use <allow> or <deny> child tags.
          <allow roles="Administrators,Users" />
          <deny users="*" />
    In this example, users carrying the role Administrators or Users will be allowed access, while all others (indicated by the * wildcard) will encounter the second rule and will subsequently be denied access.
  • <compilation>: This tag configures the compiler settings for ASP.NET such as the debug and the defaultLanguage. Setging debug to "true" will engable the browser to display debugging information. The defaultLanguage attribute tells ASP.NET to use either Visual Basic .NET or C# for instance. The value vb is the default.
  • <customErrors>: To provide end users with custom, user-friendly error messages, the mode attribute of this section must be set to On. If it is set to RemoteOnly, custom errors will be shown only to remote clients, while local host users will see the ugly but useful ASP.NET errors -- clearly, this is helpful when debugging. Setting the mode attribute to Offwill show ASP.NET errors to all users.
    If you supply a relative (for instance, /error404.htm) or absolute address (http://.../error404.htm) in the defaultRedirect attribute, the application will be automatically redirected to this address in case of an error. In addition you can use <error> tags to provide a statusCode and a redirect attribute:
      <customErrors mode="RemoteOnly" defaultRedirect="/error.html">
        <error statusCode="403" redirect="http://.../error403.htm"/>
        <error statusCode="404" redirect="/error404.htm"/>

The <appSettings> Tag

      <add key="connString" value="connection string" />
The above code adds an application-wide setting named connString with the connection string value provided by connection string. With that, in any of the ASP.NET Web pages in this Web application, the value of the connString parameter can be used by:

Dim myConnection as New OleConnection(ConfigurationSettings.AppSettings("connString"))