how does the app_data folder work

[Andy Fish]

Hi,

From what I can gather, under Asp.Net 2.0, it is safe to put data and config
files underneath the app_data in the web root and they will not be served
directly to the browser from a URL.

Can anyone explain just how this feature works. is app_data a reserved name
for IIS and ASP.Net, or is there some jiggery pokery going on behind the
scenes with file permissions or virtual roots?

It's not that I don't trust Microsoft; it's just that .... well.... I guess
I don't trust Microsoft - especially where bits of unexplained magic are
concerned

TIA

Andy

 

[Juan T. Llibre]

re:
!> is app_data a reserved name for IIS and ASP.Net

No, it's not.

The files which are not served are set in the master web.config file, in the
<httpHandlers> section, managed by System.Web.HttpForbiddenHandler.

That m,aster web.config file is located at :
drive:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config

Examples :

<add path="*.mdb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.ldb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.mdf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.ldf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />

You can add any other file extensions you don't want
ASP.NET to serve directly by following that format.

re:
!> is there some jiggery pokery going on behind the scenes with file permissions or virtual roots?

There's also some jiggery pokery going on behind the scenes with file permissions or virtual roots.

If you create a Web site in Visual Web Developer (whether the standalone or the VS IDE),
VWD creates a folder named App_Data below the current root folder.

The folder is designed to be a store for application data of any type.

The App_Data folder is also used by ASP.NET to store databases that the system maintains,
such as the database for membership and roles.

When VWD creates the App_Data folder, it grants Read and Write permissions
for the folder to the ASPNET or NETWORK SERVICE user account.

So, if a request is made from an external browser for a forbidden file,
the account requesting it won't be the ASPNET or NETWORK SERVICE accounts,
which are the only ones which are allowed access to those files.

There's no "unexplained magic" involved.
It's all pretty much straightforward.

 

[Andy Fish]

Thanks for the reply, but I still don't really get it

let's say I create a new web site (just using explorer and IIS admin - not
visual web developer) with a one folder called foo and one called app_data

inside each folder I place a file with an unknown extension not mentioned in
the global web.config - say foo.bar

I can access http://localhost/mysite/foo/foo.bar but not
http://localhost/mysite/app_data/foo.bar even though the file permissions
are the same

so surely there must be some magic going on behind the scenes somewhere?

Andy

 

[Juan T. Llibre]

Hi, Andy.

re:
!> so surely there must be some magic going on behind the scenes somewhere?

Not quite "magic" but, yes, any data files you put
in the App_Data folder will be protected by default.

No external http requests for any file there will be honored.

What I tried to say was that the mechanism has nothing
to do with "reserved names", as you suggested it might.

There *is*, however an internal check for the source of the request.
If the request for a file in App_Data is external to the server, the file won't get served.

re:
!> inside each folder I place a file with an unknown extension
!> not mentioned in the global web.config - say foo.bar

If you want *.bar files protected, you'd have to add :

<add path="*.bar" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />

 

[Andy Fish]

There *is*, however an internal check for the source of the request.
If the request for a file in App_Data is external to the server, the file
won't get served.

So just to confirm, the special processing of the app_data folder is a rule
hard-coded into IIS - correct ?

 

[Juan T. Llibre]

re:
!> So just to confirm, the special processing of
!> the app_data folder is a rule hard-coded into IIS - correct ?

Hard-coded into ASP.NET, more precisely.
It's an ASP.NET check which prevents the files from getting served by IIS.

IIS never even knows the file was requested.
ASP.NET checks...and doesn't send IIS the request.

ASP.NET is an ISAPI filter which sits between the client and IIS,
passing data requests to IIS, after processing them with its rules.

 

[Andy Fish]

thanks for the info - I get it now

re:
!> So just to confirm, the special processing of
!> the app_data folder is a rule hard-coded into IIS - correct ?

Hard-coded into ASP.NET, more precisely.
It's an ASP.NET check which prevents the files from getting served by IIS.

IIS never even knows the file was requested.
ASP.NET checks...and doesn't send IIS the request.

ASP.NET is an ISAPI filter which sits between the client and IIS,
passing data requests to IIS, after processing them with its rules.