Best Practices and script/executable directories

[Jason]

Hello,

We're selling an ASP.Net web app to a customer and I've been going through
their requirements doc and they have this recommendation:
Do not place Scripts directories in a subdirectory of wwwroot. Rather, keep
scripts in a separate directory like <IIS_Scripts>.

I've not come across this before so I'm after some theory behind this
practice. Does anyone here have a good link that could help me please?

I can't see how I could move the bin dir from an ASP.Net app's root. As this
is a general requirements doc, this probably isn't aimed at ASP.Net apps but
I thought someone here might be able to educate me.

Cheers for any help you can provide,

Jason.

 

[Walter Wang [MSFT]]

Hi Jason,

Welcome to MSDN Managed Newsgroup!

The bin subdirectory is a special one and required by ASP.NET web
application. Assemblies located there will be automatically used by your
WebForm. If this is moved, you will have to make sure all needed assemblies
are strong named and install in GAC. Can you depict more about the
rationale about moving it around?

For the question about putting scripts in a separate directory, do you mean
putting into a separate virtual directory? I'm not aware of any official
best practice regarding this behavior, I guess your customer's requirement
might be related to:

* They want to know which scripts are used by which web applications and
want to separate them into a separate directory for easy administration.
For example, setting the script permission to "None" instead of "execute"
since javascript/css are normally don't need to have execute permissions.
* To improve performance if the scripts could be shared? Client browser
will cache a resource according to the URL visited.

Hope this helps.


Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
For MSDN subscribers whose posts are left unanswered, please check this
document: http://blogs.msdn.com/msdnts/pages/postingAlias.aspx

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express/Windows Mail, please make sure
you clear the check box "Tools/Options/Read: Get 300 headers at a time" to
see your reply promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jason]

Thanks for your reply Walter.

As I said, I've never come across this before so I don't really know much
about the rational. There's quite a chain to travel along to get any further
info as I'm not directly talking to our customer so I thought I'd try here
and see if someone had any experience of this. However, it was in a
security requirements doc, so the customer is probably thinking the bin or
scripts directories getting compromised if accessable through the root url.
Not being that deep a security expect myself, the bin directory seems secure
to me. And we have no server-side scripts.

Thanks for reminding me about the GAC. We'll have to wait to see what
exactly the customer wants.

Cheers,

Jason.

 

[Walter Wang [MSFT]]

Hi Jason,

The bin folder of ASP.NET web application is protected by an isapi filter:

http://msdn2.microsoft.com/en-us/library/Aa479328.aspx
<quote>
The aspnet_filter.dll component is a small Win32 ISAPI filter used to back
up the cookieless session state for ASP.NET applications. In Windows Server
2003, when the IIS 6 process model is enabled, aspnet_filter.dll also
filters out requests for non-executable resources located in the Bin
directory.
</quote>


ASP.NET 2.0 has several sepcial folders and all are protected by this
filter. Maybe this information could be useful for your customer.

Please feel free to let me know if there's anything else I can help. Thanks.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.