Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/aws-samples/legacy-cycle-store-mvc-app/llms.txt

Use this file to discover all available pages before exploring further.

Web.config is the primary configuration file for the Legacy Cycle Store, an ASP.NET MVC 4 application targeting .NET Framework 4.5. It controls everything from database connectivity and authentication behavior to error handling and JavaScript validation. All environment-specific values — database endpoints, credentials, and debug flags — live here and are transformed at deployment time via XML Document Transform (XDT) files.

Connection Strings

The application uses a single Entity Framework connection string named CYCLE_STOREEntities. This is an ADO.NET Entity Framework metadata connection string that bundles both the EDM model paths and the underlying SQL Server connection details into one value. 
<connectionStrings>
  <add name="CYCLE_STOREEntities"
    connectionString="metadata=res://*/Business.CycleModel.csdl|res://*/Business.CycleModel.ssdl|res://*/Business.CycleModel.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=sqlrdsdb.xxxxx.us-east-1.rds.amazonaws.com;initial catalog=CYCLE_STORE;user id=xxxx;password=xxxx;MultipleActiveResultSets=True;App=EntityFramework&quot;"
    providerName="System.Data.EntityClient" />
</connectionStrings>
The inner provider connection string contains the following components:
data source
string
required
The hostname of the Amazon RDS SQL Server instance, e.g. sqlrdsdb.xxxxx.us-east-1.rds.amazonaws.com. This value is region-specific and is output by the CloudFormation stack as SQLDatabaseEndpoint.
initial catalog
string
required
The SQL Server database name. Always set to CYCLE_STORE for this application.
user id
string
required
The SQL Server login username. Corresponds to the username field stored in the CycleStoreCredentials Secrets Manager secret (DBUser).
password
string
required
The SQL Server login password. Corresponds to the password field stored in the CycleStoreCredentials Secrets Manager secret. Never commit plaintext credentials to source control.
MultipleActiveResultSets
bool
default:"True"
Enables MARS, which allows multiple active result sets on a single connection. Required by Entity Framework when it opens multiple readers concurrently during lazy loading or complex queries.
App
string
default:"EntityFramework"
Tags the connection in SQL Server’s activity monitor and Extended Events sessions for easier diagnostics.

App Settings

The <appSettings> block contains five keys that configure the ASP.NET runtime and MVC framework behavior. 
<appSettings>
  <add key="webpages:Version" value="2.0.0.0" />
  <add key="webpages:Enabled" value="false" />
  <add key="PreserveLoginUrl" value="true" />
  <add key="ClientValidationEnabled" value="true" />
  <add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
webpages:Version
string
default:"2.0.0.0"
Specifies the version of the ASP.NET Web Pages (Razor) assembly to load. Set to 2.0.0.0 to match the MVC 4 runtime, preventing assembly version conflicts at startup.
webpages:Enabled
bool
default:"false"
When false, the Web Pages framework is disabled and the application runs as a pure MVC app. Prevents accidental routing of .cshtml files directly as Web Pages.
PreserveLoginUrl
bool
default:"true"
Instructs the runtime to preserve the original ReturnUrl query string parameter through authentication redirects. Ensures users are returned to the page they originally requested after logging in.
ClientValidationEnabled
bool
default:"true"
Enables client-side validation using the jQuery Validate library in conjunction with MVC’s Html.ValidationMessageFor helpers. Validation attributes from data annotations are rendered as HTML5 data-val-* attributes.
UnobtrusiveJavaScriptEnabled
bool
default:"true"
Enables unobtrusive JavaScript mode, where Ajax and validation behaviors are driven by data-* HTML attributes rather than inline script blocks. Works in conjunction with ClientValidationEnabled.

Forms Authentication

The application uses Forms Authentication to protect routes and manage user sessions. The cookie-based scheme redirects unauthenticated users to the login page and issues a secure authentication ticket upon successful login. 
<authentication mode="Forms">
  <forms name="ADVENTUREWORKS.AUTH"
    loginUrl="~/Home/Login"
    protection="All"
    timeout="43200"
    path="/"
    requireSSL="false"
    slidingExpiration="true"
    defaultUrl="~/Home/default"
    enableCrossAppRedirects="false" />
</authentication>
name
string
default:"ADVENTUREWORKS.AUTH"
The name of the HTTP cookie that carries the authentication ticket. Using a non-default name reduces the risk of cookie collisions when multiple ASP.NET applications share the same domain.
loginUrl
string
default:"~/Home/Login"
The route to which unauthenticated requests are redirected. Maps to HomeController.Login.
protection
string
default:"All"
Specifies that the authentication cookie is both encrypted and validated (HMAC). All is the most secure option and the recommended default.
timeout
int
default:"43200"
Session idle timeout in minutes. 43200 equals 30 days. Combined with slidingExpiration="true", the timeout resets on every authenticated request, keeping active users logged in indefinitely.
slidingExpiration
bool
default:"true"
When true, the authentication ticket expiry is extended on each request, so the session only expires after timeout minutes of inactivity.
defaultUrl
string
default:"~/Home/default"
The URL to redirect to after a successful login when no ReturnUrl is present in the query string.
enableCrossAppRedirects
bool
default:"false"
Prevents the authentication system from following ReturnUrl values that point outside the current application, mitigating open-redirect attacks.

Membership Provider

User accounts are managed through ASP.NET Membership using the built-in SqlMembershipProvider. This provider stores hashed credentials in the ASP.NET membership schema tables (typically in a separate ASPNetDB database). 
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
  <providers>
    <add name="SqlProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="ASPNetDB"
      applicationName="C1AdventureWorks"
      enablePasswordRetrieval="false"
      enablePasswordReset="false"
      requiresQuestionAndAnswer="false"
      requiresUniqueEmail="true"
      minRequiredPasswordLength="1"
      minRequiredNonalphanumericCharacters="0"
      passwordFormat="Hashed" />
  </providers>
</membership>
connectionStringName
string
default:"ASPNetDB"
Points to a separate connection string (not shown above) that targets the ASP.NET membership database. This is distinct from CYCLE_STOREEntities, which targets the product catalog.
applicationName
string
default:"C1AdventureWorks"
Scopes all membership records to this application name within the shared membership tables. Multiple applications can share the same membership database with different applicationName values.
passwordFormat
string
default:"Hashed"
Passwords are stored as salted SHA-1 hashes. Hashed is the most secure of the three options (Clear, Encrypted, Hashed).
requiresUniqueEmail
bool
default:"true"
Enforces that each registered email address maps to exactly one user account.
enablePasswordRetrieval
bool
default:"false"
Password retrieval is disabled because hashed passwords cannot be reversed. Users must reset their password through a separate flow.
minRequiredPasswordLength
int
default:"1"
The minimum password length. Set to 1 for the legacy sample; tighten this in any production deployment.

Custom Errors

When custom errors are enabled, ASP.NET intercepts HTTP error responses and redirects the browser to a friendly error page rather than exposing stack traces or IIS error details. 
<customErrors mode="On">
  <error statusCode="404" redirect="~/Error"/>
  <error statusCode="500" redirect="~/Error"/>
</customErrors>
Both 404 Not Found and 500 Internal Server Error responses redirect to the ErrorController, which renders a generic error view. With mode="On", this behavior applies to all visitors including those accessing from localhost. Change to mode="RemoteOnly" during local debugging to see full exception details on your development machine while still showing friendly errors to remote users.

Target Framework

The <system.web> block pins the application to .NET Framework 4.5 for both runtime execution and compilation. 
<httpRuntime targetFramework="4.5" />
<compilation debug="true" targetFramework="4.5" />
targetFramework (httpRuntime)
string
default:"4.5"
Instructs the ASP.NET runtime to use .NET 4.5 behavioral quirks mode, enabling breaking changes introduced in 4.5 (such as updated encoding behavior and async improvements).
targetFramework (compilation)
string
default:"4.5"
Tells the Roslyn/C# compiler which framework version to target when compiling views and app code at runtime.
debug
bool
default:"true"
When true, assemblies are compiled without optimization and script/CSS bundling is disabled. This must be set to false in production. The Web.Release.config transform handles this automatically.

Config Transforms

The repository includes two XDT transform files that modify Web.config values at publish time without editing the base file directly. Web.Debug.config is applied during local debug builds. It typically leaves settings unchanged or adds developer-specific overrides such as a local SQL Server connection string. Web.Release.config is applied when publishing to a staging or production environment. It performs at minimum the following transforms: 
<!-- Web.Release.config -->
<compilation xdt:Transform="RemoveAttributes(debug)" />
This removes the debug="true" attribute from <compilation>, switching the runtime to release mode. Additional transforms can swap connection strings, update the RDS endpoint, and change authentication requireSSL to true for HTTPS-only deployments.
When migrating this application to ASP.NET Core, Web.config is replaced by appsettings.json (and appsettings.Production.json for environment overrides). Connection strings, app settings, and authentication configuration all move to the new JSON format, and secrets should be managed via AWS Secrets Manager or environment variables rather than stored in configuration files.

Build docs developers (and LLMs) love

Get started for freeTalk to us