There are two Config Files Web.Config and Machine.Config and these configurations files are XML-based text files and have named web.config that can be appear in any directory of web application created in ASP.NET. Web.config configuration settings to all the files and on child directory file of the application and directory it is located in and to all virtual child directories beneath it. Child directories have option to override or modify settings that is specified in parent directories.
The root configuration file WinNTMicrosoft.NETFrameworkconfigmachine.config provides default configuration settings for the entire machine and all application under it. But one thing is that IIS can not configure to direct browser access to web.config files to ensure that their values can not become public and error which is shown is ASP.NET to return 403: Access Forbidden. The main function of Config file explorer it self at run time in ASP.NET and ASP.NET uses these web.config configuration files to hierarchically compute a unique collection of settings for each incoming URL target request.Some of the settings that's coming in Config files is just like session state. Session state features can be added in web.config in session state tag.We can also set the timeout policy there which is default 20 minutes mainly there are four modes of session in config file.
Off -Indicates that session state is not enabled.
Inproc – Indicates that session state is stored locally.
StateServer-Indicates that session state is stored on a remote server.
SQLServer-Indicates that session state is stored on the SQL Server.
And another section of the config file is connection string or we can say that appSettings that's the great advantage of config file that we can place our connection string that's helping in securing of our connection string from the user because this file can not be browse some other feature also in config file just like Custom Error, Authorization, Authentication assembly reference.