Deleting folders clears session variables

[osh.sean]

I'm having a problem and I can't find anything about this anywhere else
out there.

I'm working on a solution that allows the end user to create folders /
upload files to the web server. Some pertinent information is being
stored in a session variable. If a user deletes the folder from the
application, it clears any session variables as if deleting a folder
made a call to Session.Abandon(). This also occurs if I delete the
folder through Windows Explorer and then go back to the web browser,
the session variables are cleared.

Anyone else running into this problem? Have I done something wrong? Is
my server not configured properly?

 

[osh.sean]

Forgot to mention this is using the 2.0 Beta 2 Framework.

 

[Brock Allen]

I suspect ASP.NET detects the filesystem change as significant enough to
restart the AppDomain. If you store your session out of process (in the NT
State Server, or a SqlServer/SqlExpress database) then you'll be ok.

As a side note, I'd strongly suggest not allowing people to upload context
into your web application directory structure. They could upload code (such
as an ASPX file) that executes on the server and does things you don't want
them to do. I'd suggest allowing them to upload to a different directory
that's configured in IIS as an application. If you want users to be able
to upload content that is accessible via the web application, then perhaps
save it in a database instead and write a specific handler or page to allow
retrieval of that data.

 

[Brock Allen]

Gah, sorry, full of typos. That's what I get for typing and talking on the
phone at the same time. Ok, fixed version:

I suspect ASP.NET detects the filesystem change as significant enough to
restart the AppDomain. If you store your session out of process (in the NT
State Server, or a SqlServer/SqlExpress database) then you'll be ok.

As a side note, I'd strongly suggest not allowing people to upload content
into your web application directory structure. They could upload code (such
as an ASPX file) that executes on the server and does things you don't want
them to do. I'd suggest allowing them to upload to a different directory
that's not configured in IIS as an application. If you want users to be able
to upload content that is accessible via the web application, then perhaps
save it in a database instead and write a specific handler or page to allow
retrieval of that data.

-Brock
DevelopMentor
http://staff.develop.com/balle

 

[osh]

Brock,

Thanks for a quick response.

If the AppDomain is being restarted with any file system change, would
that not also log the user out of the system (I'm using forms
authentication). It's not doing a sign out from forms authentication,
rather its just clearing the session variables.

Your suggestion, for example, you are saying that if my application is
in /intranet/ that the uploads should be posted to a different
directory outside of this web application?

I thought the users would try to upload ASPX or other code, and what
the user can upload is limited from both file extension and file
content type. File names are also encrypted and I wrote a handler that
will serve a requested file to the end user upon request without
revealing the URL. I'm using a databse to keep track of almost a "mock"
directory structure - but the physical paths/files themselves are never
revealed during browsing, uploading, or downloading. Think thats
enough?

Thanks!