I want to ask what the difference is between the app_data folder in a web application and in a web site .
I want to make sure that this folder is secure in web application because I put specific file in this folder which specific users only can download it.
Do not give the Directory Browsing Provision in IIS.
There is basically a way in which the Anonymous/Unauthorized user can Access/download your Authorized File. Example - You know the Query String Values and other user can type and download it. So, there are two ways by which you can prevent unauthorized User to download file.
(a) Keep the Web.Config in this folder and define the Roles/Users whoever can access it.
(b) In the Page Load, you can check the page being opened is being done by the Authorized user only.
App_Data Folder is same for both types Web Application as well as Web Site.
The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. There is be no difference between the app_data folder using a Web App or a Web Site.
Sources:
As Darren answered, there is no difference.
But to your other point of using it as a secure storage location, it is protected by ASP.NET, much like the bin folder, and users cannot browse to it.
