tags:

views:

1185

answers:

2
+3  Q: 

App_Data - Web application's data directory. How secure is it?

In many places in msdn documentation you can find references to App_Data directory. For example here we can read:

To improve security when using a local data file in an ASP.NET application, you should store the data file in the App_Data directory.

and

Files stored in the App_Data directory will not be served to the Web.

I could not find a direct reference that would specify how is that security guaranteed. Are there any IIS settings etc. that I should watch out to ensure that the files we put in the App_Data directory suddenly do not become available to everyone.

A: 

Off the top of my head, I'd imagine they're protected in the same way as .config files are. This basically means, the ASP.NET handler for these items returns a "This type of page is not served" message." It might return a 404 error. The safest way to be sure is not to store your database there.

David Kemp  2009-02-11 17:51:27
+4  A: 

The files are protected by a forbidden file handler. That is safe so long as everything is running. There are possibilities that the ASP.NET handlers can go down leaving only IIS running. In those cases your web.config files and aspx files will be served as straight text files.

If you data isn't really sensitive, it is a good place to store data. If you have highly sensitive data, store it on another machine.

Edit: More information You can read more about forbidden file handlers here http://msdn.microsoft.com/en-us/library/bya7fh0a.aspx. Scrolling down you will notice there is an entry in the "root web.config" file for mdfs. You can typically find this file on your machine at C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG

I couldn't find too much info about bringing down asp.net while still leaving iis running, but if you google around for terms like "asks to download aspx" or something like that you can find reports of people having issues (typically asp.net not being configured properly) which would allow for an exploit to occur. I haven't seen it happen very much, but it is possible.

Bob  2009-02-11 17:59:01
Thanks Bob for that answer. Could you recommend some good reading on that subject?
kristof  2009-02-12 09:54:15

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps