Session timeout in ASP.NET

C

15

186

I am running an ASP.NET 2.0 application in IIS 6.0. I want session timeout to be 60 minutes rather than the default 20 minutes. I have done the following

Set <sessionState timeout="60"></sessionState> in web.config.
Set session timeout to 60 minutes in IIS manager/Web site properties/ASP.NET configuration settings.
Set idle timeout to 60 minutes in application pool properties/performance.

I am still getting a session timeout at 20 minutes. Is there anything else I need to do?

Castalia answered 16/3, 2009 at 1:50 Comment(4)

Please provide information on how you measured the 20 minutes. Let's be sure that the 20 minutes is a Session timeout, and not some other kind. – Length 16/3, 2009 at 1:54

Please mark quality answers as accepted by using the checkmark near the upvote/downvote arrows – Chagres 18/1, 2013 at 1:59

Eight years later, correct answer still not accepted. – Wingspan 12/12, 2017 at 21:52

Please clarify what you mean by IIS manager/Web site properties/ASP.NET configuration settings. Step by step what did you change in IIS? – Joon 30/1, 2019 at 12:13

N

301

Are you using Forms authentication?

Forms authentication uses it own value for timeout (30 min. by default). A forms authentication timeout will send the user to the login page with the session still active. This may look like the behavior your app gives when session times out making it easy to confuse one with the other.

<system.web>
    <authentication mode="Forms">
          <forms timeout="50"/>
    </authentication>

    <sessionState timeout="60"  />
</system.web>

Setting the forms timeout to something less than the session timeout can give the user a window in which to log back in without losing any session data.

Naze answered 16/3, 2009 at 12:4 Comment(0)

P

51

I don't know about web.config or IIS. But I believe that from C# code you can do it like

Session.Timeout = 60; // 60 is number of minutes

Pulsar answered 16/3, 2009 at 2:11 Comment(3)

Will this only adjust the timeout of the current session? Or will this adjust the timeout for the whole application? – Chamblee 27/8, 2012 at 7:32

Nothing in the documentation indicates that setting Session.Timeout is any different than using web.config or IIS, so I assume it is for the whole application. – Latonya 28/7, 2015 at 10:20

I think @Latonya has right, but it must be proved at least by 2 separated connected client to server and check Idle session timeout. – Cinerama 28/3, 2017 at 11:53

P

44

Use the following code block in your web.config file. Here default session time out is 80 mins.

<system.web>
 <sessionState mode="InProc" cookieless="false" timeout="80" />
</system.web>

Use the following link for Session Timeout with popup alert message.

Session Timeout Example

FYI:The above examples is done with devexpress popup control so you need to customize/replace devexpress popup control with normal popup control. If your using devexpress no need to customize

Parulis answered 14/12, 2011 at 7:4 Comment(2)

cookieless false ? – Precatory 7/12, 2018 at 8:8

@Kiquenet, if you set cookieless to true then your sessionId will be embedded in URL which is a high security risk. ASP.NET framework inserts a unique id to the URL, you can check this by disabling the cookie or by setting the cookieless attribute to true as you did. According to MSDN, By default, the SessionID value is stored in a non-expiring session cookie in the browser but if you specify cookieless="true" then ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page's URL. – Delaryd 28/8, 2019 at 11:0

D

22

In my situation, it was Application Pool. It is set to restart when idle for xx mins. When I set it to not restart, it seems to use value from Web Config.

Doner answered 23/10, 2013 at 11:1 Comment(5)

I know we are 2020 but damn this just solved my issue thanks ! – Duclos 25/6, 2020 at 9:22

@Duclos Same here. Trying to work with some legacy stuff and can't find all the session timeout causes. – Rilke 26/10, 2021 at 13:50

Can you say which setting in the Application Pool need to be changed? – Molecular 7/3, 2022 at 5:40

coreblox.com/blog/2014/12/… has further details for anybody else wanting to find directions to the appropriate setting – Molecular 11/5, 2022 at 5:53

App pool, advanced settings, process model, "Idle Time-out (minutes)" default of 20, can be set to 0 "forever"... – Tonitonia 23/8, 2022 at 20:34

S

9

Do you have anything in machine.config that might be taking effect? Setting the session timeout in web.config should override any settings in IIS or machine.config, however, if you have a web.config file somewhere in a subfolder in your application, that setting will override the one in the root of your application.

Also, if I remember correctly, the timeout in IIS only affects .asp pages, not .aspx. Are you sure your session code in web.config is correct? It should look something like:

<sessionState
    mode="InProc"
    stateConnectionString="tcpip=127.0.0.1:42424"
    stateNetworkTimeout="60"
    sqlConnectionString="data source=127.0.0.1;Integrated Security=SSPI"
    cookieless="false"
    timeout="60"
/>

Stall answered 16/3, 2009 at 3:20 Comment(0)

C

8

That is usually all that you need to do...

Are you sure that after 20 minutes, the reason that the session is being lost is from being idle though...

There are many reasons as to why the session might be cleared. You can enable event logging for IIS and can then use the event viewer to see reasons why the session was cleared...you might find that it is for other reasons perhaps?

You can also read the documentation for event messages and the associated table of events.

Chrysarobin answered 16/3, 2009 at 2:5 Comment(0)

C

4

Since ASP.Net core 1.0 (vNext or whatever name is used for it) sessions are implemented differently. I changed the session timeout value in Startup.cs, void ConfigureServices using:

services.AddSession(options => options.IdleTimeout = TimeSpan.FromSeconds(42));

Or if you want to use the appsettings.json file, you can do something like:

// Appsettings.json
"SessionOptions": {
    "IdleTimeout": "00:30:00"
}

// Startup.cs
services.AddSession(options => options.IdleTimeout = TimeSpan.Parse(Config.GetSection("SessionOptions")["IdleTimeout"]));

Consciencestricken answered 26/5, 2016 at 8:38 Comment(0)

P

4

https://usefulaspandcsharp.wordpress.com/tag/session-timeout/

<authentication mode="Forms">
  <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="60" slidingExpiration="true" />
</authentication>

<sessionState mode="InProc" timeout="60" />

Pironi answered 29/5, 2017 at 20:55 Comment(0)

I

3

If you are using Authentication, I recommend adding the following in web.config file.

In my case, users are redirected to the login page upon timing out:

<authentication mode="Forms">
    <forms defaultUrl="Login.aspx" timeout="120"/>
</authentication>

Irrespective answered 19/3, 2013 at 19:52 Comment(2)

I got error at here <authentication mode="Forms"> after i place it in web.config – Male 10/8, 2015 at 9:45

This answer refers to the duration of the authentication cookie's timeout and is nothing to do with session timeout. – Becharm 27/10, 2022 at 9:14

Z

3

You can find the setting here in IIS:

It can be found at the server level, web site level, or app level under "ASP".

I think you can set it at the web.config level here. Please confirm this for yourself.

<configuration>
   <system.web>

      <!-- Session Timeout in Minutes (Also in Global.asax) -->
       <sessionState timeout="1440"/>

   </system.web>
</configuration>

Zoroastrianism answered 22/2, 2017 at 23:11 Comment(1)

Also in Global.asax ? – Precatory 7/12, 2018 at 8:6

L

3

The default session timeout is defined into IIS to 20 minutes

Follow the procedures below for each site hosted on the IIS 8.5 web

Open the IIS 8.5 Manager.

Click the site name.

Select "Configuration Editor" under the "Management" section.

From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".

Set the "timeout" to "00:20:00 or less”, using the lowest value possible depending upon the application. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

In the "Actions" pane, click "Apply".

Lanham answered 10/12, 2019 at 13:24 Comment(0)

K

0

if you are want session timeout for website than remove

<authentication mode="Forms">
      <forms timeout="50"/>
</authentication>

tag from web.config file.

Keep answered 29/2, 2016 at 13:9 Comment(1)

This answer refers to the duration of the authentication cookie's timeout and is nothing to do with session timeout. – Becharm 27/10, 2022 at 9:14

C

0

The Timeout property specifies the time-out period assigned to the Session object for the application, in minutes. If the user does not refresh or request a page within the time-out period, the session ends.

IIS 6.0: The minimum allowed value is 1 minute and the maximum is 1440 minutes.

Session.Timeout = 600;

Concerto answered 18/9, 2016 at 13:26 Comment(0)

F

0

IIS sessions timeout value is for classic .asp applications only, this is controlled on IIS configuration. In your case For ASP.NET apps, only the web.config-specified timeout value applies.

Forsaken answered 26/1, 2017 at 19:28 Comment(1)

What about IIS's app pool timeout? – Janik 8/2, 2019 at 0:36

M

-2

After changing the session timeout value in IIS, Kindly restart the IIS. To achieve this go to command prompt. Type IISRESET and press enter.

Milter answered 8/12, 2010 at 5:53 Comment(1)

Editing the web.config file automatically causes IIS to reset. – Buhl 24/2, 2017 at 22:37

Recommended topics

Hot tags