how does the app_data folder work

re:
!is app_data a reserved name for IIS and ASP.Net

No, it's not.

The files which are not served are set in the master web.config file, in the
<httpHandlerssection, managed by System.Web.HttpForbiddenHandler.

That m,aster web.config file is located at :
drive:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ CONFIG\web.config

Examples :

<add path="*.mdb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.ldb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.mdf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.ldf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />

You can add any other file extensions you don't want
ASP.NET to serve directly by following that format.

re:
!is there some jiggery pokery going on behind the scenes with file permissions or virtual roots?

There's also some jiggery pokery going on behind the scenes with file permissions or virtual roots.

If you create a Web site in Visual Web Developer (whether the standalone or the VS IDE),
VWD creates a folder named App_Data below the current root folder.

The folder is designed to be a store for application data of any type.

The App_Data folder is also used by ASP.NET to store databases that the system maintains,
such as the database for membership and roles.

When VWD creates the App_Data folder, it grants Read and Write permissions
for the folder to the ASPNET or NETWORK SERVICE user account.

So, if a request is made from an external browser for a forbidden file,
the account requesting it won't be the ASPNET or NETWORK SERVICE accounts,
which are the only ones which are allowed access to those files.

There's no "unexplained magic" involved.
It's all pretty much straightforward.


Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Andy Fish" <aj****@blueyonder.co.ukwrote in message news:uK*************@TK2MSFTNGP06.phx.gbl...

Hi,

From what I can gather, under Asp.Net 2.0, it is safe to put data and config files underneath the app_data in the web
root and they will not be served directly to the browser from a URL.

Can anyone explain just how this feature works. is app_data a reserved name for IIS and ASP.Net, or is there some
jiggery pokery going on behind the scenes with file permissions or virtual roots?

It's not that I don't trust Microsoft; it's just that .... well.... I guess I don't trust Microsoft - especially where
bits of unexplained magic are concerned :-)

TIA

Andy

Thanks for the reply, but I still don't really get it

let's say I create a new web site (just using explorer and IIS admin - not
visual web developer) with a one folder called foo and one called app_data

inside each folder I place a file with an unknown extension not mentioned in
the global web.config - say foo.bar

I can access http://localhost/mysite/foo/foo.bar but not
http://localhost/mysite/app_data/foo.bar even though the file permissions
are the same

so surely there must be some magic going on behind the scenes somewhere?

Andy

"Juan T. Llibre" <no***********@nowhere.comwrote in message
news:%2***************@TK2MSFTNGP02.phx.gbl...

re:
!is app_data a reserved name for IIS and ASP.Net

No, it's not.

The files which are not served are set in the master web.config file, in
the
<httpHandlerssection, managed by System.Web.HttpForbiddenHandler.

That m,aster web.config file is located at :
drive:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ CONFIG\web.config

Examples :

<add path="*.mdb" verb="*" type="System.Web.HttpForbiddenHandler"
validate="True" />
<add path="*.ldb" verb="*" type="System.Web.HttpForbiddenHandler"
validate="True" />
<add path="*.mdf" verb="*" type="System.Web.HttpForbiddenHandler"
validate="True" />
<add path="*.ldf" verb="*" type="System.Web.HttpForbiddenHandler"
validate="True" />

You can add any other file extensions you don't want
ASP.NET to serve directly by following that format.

re:
!is there some jiggery pokery going on behind the scenes with file
permissions or virtual roots?

There's also some jiggery pokery going on behind the scenes with file
permissions or virtual roots.

If you create a Web site in Visual Web Developer (whether the standalone
or the VS IDE),
VWD creates a folder named App_Data below the current root folder.

The folder is designed to be a store for application data of any type.

The App_Data folder is also used by ASP.NET to store databases that the
system maintains,
such as the database for membership and roles.

When VWD creates the App_Data folder, it grants Read and Write permissions
for the folder to the ASPNET or NETWORK SERVICE user account.

So, if a request is made from an external browser for a forbidden file,
the account requesting it won't be the ASPNET or NETWORK SERVICE accounts,
which are the only ones which are allowed access to those files.

There's no "unexplained magic" involved.
It's all pretty much straightforward.


Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Andy Fish" <aj****@blueyonder.co.ukwrote in message
news:uK*************@TK2MSFTNGP06.phx.gbl...

>Hi,

From what I can gather, under Asp.Net 2.0, it is safe to put data and
config files underneath the app_data in the web root and they will not be
served directly to the browser from a URL.

Can anyone explain just how this feature works. is app_data a reserved
name for IIS and ASP.Net, or is there some jiggery pokery going on behind
the scenes with file permissions or virtual roots?

It's not that I don't trust Microsoft; it's just that .... well.... I
guess I don't trust Microsoft - especially where bits of unexplained
magic are concerned :-)

TIA

Andy

Hi, Andy.

re:
!so surely there must be some magic going on behind the scenes somewhere?

Not quite "magic" but, yes, any data files you put
in the App_Data folder will be protected by default.

No external http requests for any file there will be honored.

What I tried to say was that the mechanism has nothing
to do with "reserved names", as you suggested it might.

There *is*, however an internal check for the source of the request.
If the request for a file in App_Data is external to the server, the file won't get served.

re:
!inside each folder I place a file with an unknown extension
!not mentioned in the global web.config - say foo.bar

If you want *.bar files protected, you'd have to add :

<add path="*.bar" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />

Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Andy Fish" <aj****@blueyonder.co.ukwrote in message news:e3**************@TK2MSFTNGP04.phx.gbl...

Thanks for the reply, but I still don't really get it

let's say I create a new web site (just using explorer and IIS admin - not visual web developer) with a one folder
called foo and one called app_data

inside each folder I place a file with an unknown extension not mentioned in the global web.config - say foo.bar

I can access http://localhost/mysite/foo/foo.bar but not http://localhost/mysite/app_data/foo.bar even though the file
permissions are the same

so surely there must be some magic going on behind the scenes somewhere?

Andy

"Juan T. Llibre" <no***********@nowhere.comwrote in message news:%2***************@TK2MSFTNGP02.phx.gbl...

>re:
!is app_data a reserved name for IIS and ASP.Net

No, it's not.

The files which are not served are set in the master web.config file, in the
<httpHandlerssection, managed by System.Web.HttpForbiddenHandler.

That m,aster web.config file is located at :
drive:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 \CONFIG\web.config

Examples :

<add path="*.mdb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.ldb" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.mdf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />
<add path="*.ldf" verb="*" type="System.Web.HttpForbiddenHandler" validate="True" />

You can add any other file extensions you don't want
ASP.NET to serve directly by following that format.

re:
!is there some jiggery pokery going on behind the scenes with file permissions or virtual roots?

There's also some jiggery pokery going on behind the scenes with file permissions or virtual roots.

If you create a Web site in Visual Web Developer (whether the standalone or the VS IDE),
VWD creates a folder named App_Data below the current root folder.

The folder is designed to be a store for application data of any type.

The App_Data folder is also used by ASP.NET to store databases that the system maintains,
such as the database for membership and roles.

When VWD creates the App_Data folder, it grants Read and Write permissions
for the folder to the ASPNET or NETWORK SERVICE user account.

So, if a request is made from an external browser for a forbidden file,
the account requesting it won't be the ASPNET or NETWORK SERVICE accounts,
which are the only ones which are allowed access to those files.

There's no "unexplained magic" involved.
It's all pretty much straightforward.


Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Andy Fish" <aj****@blueyonder.co.ukwrote in message news:uK*************@TK2MSFTNGP06.phx.gbl...

>>Hi,

From what I can gather, under Asp.Net 2.0, it is safe to put data and config files underneath the app_data in the
web root and they will not be served directly to the browser from a URL.

Can anyone explain just how this feature works. is app_data a reserved name for IIS and ASP.Net, or is there some
jiggery pokery going on behind the scenes with file permissions or virtual roots?

It's not that I don't trust Microsoft; it's just that .... well.... I guess I don't trust Microsoft - especially
where bits of unexplained magic are concerned :-)

TIA

Andy

>

There *is*, however an internal check for the source of the request.
If the request for a file in App_Data is external to the server, the file
won't get served.

So just to confirm, the special processing of the app_data folder is a rule
hard-coded into IIS - correct ?

re:
!So just to confirm, the special processing of
!the app_data folder is a rule hard-coded into IIS - correct ?

Hard-coded into ASP.NET, more precisely.
It's an ASP.NET check which prevents the files from getting served by IIS.

IIS never even knows the file was requested.
ASP.NET checks...and doesn't send IIS the request.

ASP.NET is an ISAPI filter which sits between the client and IIS,
passing data requests to IIS, after processing them with its rules.


Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Andy Fish" <aj****@blueyonder.co.ukwrote in message news:%2****************@TK2MSFTNGP02.phx.gbl...

There *is*, however an internal check for the source of the request.
If the request for a file in App_Data is external to the server, the file won't get served.

So just to confirm, the special processing of the app_data folder is a rule hard-coded into IIS - correct ?

thanks for the info - I get it now :-)

"Juan T. Llibre" <no***********@nowhere.comwrote in message
news:O0**************@TK2MSFTNGP06.phx.gbl...

re:
!So just to confirm, the special processing of
!the app_data folder is a rule hard-coded into IIS - correct ?

Hard-coded into ASP.NET, more precisely.
It's an ASP.NET check which prevents the files from getting served by IIS.

IIS never even knows the file was requested.
ASP.NET checks...and doesn't send IIS the request.

ASP.NET is an ISAPI filter which sits between the client and IIS,
passing data requests to IIS, after processing them with its rules.


Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en español : http://asp.net.do/foros/
======================================
"Andy Fish" <aj****@blueyonder.co.ukwrote in message
news:%2****************@TK2MSFTNGP02.phx.gbl...

>
There *is*, however an internal check for the source of the request.
If the request for a file in App_Data is external to the server, the
file won't get served.

So just to confirm, the special processing of the app_data folder is a
rule hard-coded into IIS - correct ?