How to set session timeout in web.config
Asked Answered
R

5

204

I have tried very hard but cannot find a solution on how to set session timeout value for in-process session for an ASP.Net web application.

I am using VSTS 2008 + .Net 3.5 + C#. Here is what I wrote by myself to set timeout to be 1 minute, is it correct?

I wrote under system.web section in the web.config

<sessionState timeout="1" mode="InProc" />
Rattan answered 30/7, 2009 at 10:49 Comment(7)
The way you define the timeout is correct. Do you have any issues with it?Surd
You know that this means it will expire after 1 minute of inactivity, not after 1 minute from its start? My guess is that if you are asking this question, and have typed the timeout correctly, you might be mislead of how it works.Shoreline
I need to set inactive time, it is just what I need. Thanks Ivan!Rattan
LOL! I wouldn't recommend setting the time-out to just 1 minute. That's gonna kill the useability!Bah
I completely understand the need for a short timeout period. In my case it is to test the usability of the site if the session does time out and how it reacts once the user comes back. It's hard to test that while also debugging unless the session timeout occurs quicklyDeka
Possible duplicate of Session timeout in ASP.NETArchdeacon
Does this change the 'Expires/ Max-Age' of 'ASP.NET_SessionId' cookie in chrome dev tools. ?Laplante
T
359

If you want to set the timeout to 20 minutes, use something like this:

    <configuration>
      <system.web>
         <sessionState timeout="20"></sessionState>
      </system.web>
    </configuration>
Tann answered 30/7, 2009 at 10:56 Comment(2)
20 minutes or hours? (timeout="20")Alejandraalejandrina
Config states the timeout in minutes so 20 minutesTann
L
53

The value you are setting in the timeout attribute is the one of the correct ways to set the session timeout value.

The timeout attribute specifies the number of minutes a session can be idle before it is abandoned. The default value for this attribute is 20.

By assigning a value of 1 to this attribute, you've set the session to be abandoned in 1 minute after its idle.

To test this, create a simple aspx page, and write this code in the Page_Load event,

Response.Write(Session.SessionID);

Open a browser and go to this page. A session id will be printed. Wait for a minute to pass, then hit refresh. The session id will change.

Now, if my guess is correct, you want to make your users log out as soon as the session times out. For doing this, you can rig up a login page which will verify the user credentials, and create a session variable like this -

Session["UserId"] = 1;

Now, you will have to perform a check on every page for this variable like this -

if(Session["UserId"] == null)
    Response.Redirect("login.aspx");

This is a bare-bones example of how this will work.

But, for making your production quality secure apps, use Roles & Membership classes provided by ASP.NET. They provide Forms-based authentication which is much more reliabletha the normal Session-based authentication you are trying to use.

Langbehn answered 30/7, 2009 at 10:57 Comment(1)
Great advice... Be sure to set a Session variable first before testing with Response.Write(Session.SessionID); other wise it will refresh with a new ID every time you refresh.Nutmeg
U
2

If you are using MVC, you put this in the web.config file in the Root directory of the web application, not the web.config in the Views directory. It also needs to be IN the system.web node, not under like George2 stated in his question: "I wrote under system.web section in the web.config"

The timeout parameter value represents minutes.

There are other attributes that can be set in the sessionState element. You can find information here: learn.microsoft.com sessionState

<configuration>
   <system.web>
      <sessionState timeout="20"></sessionState>
   </system.web>
</configuration>

You can then catch the begining of a new session in the Global.asax file by adding the following method:

void Session_Start(object sender, EventArgs e)
{
    if (Session.IsNewSession)
    {
        //do things that need to happen
        //when a new session starts.
    }
}
Unhandy answered 12/12, 2019 at 15:8 Comment(0)
R
1

Use this in web.config:

<sessionState 

  timeout="20" 
/>
Rightward answered 28/6, 2011 at 8:33 Comment(1)
You don't need most of the attributes you list, just timeout really. stateConnectionString and sqlConnectionString are ignored when mode="InProc", and the values for mode and cookieless are set to their default values. So, this really distills down to Wolfwyrd's answer.Halakah
A
1

If it's not working from web.config, you need to set it from IIS.

Allisonallissa answered 27/9, 2019 at 16:1 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.