On one of our project we been experiencing random session timeout issues. With recent discovery I've notice that Sitecore Analytics.Robots.SessionTimeout maybe the thing that's causing it.

We notice that at random session timeout, the timeout value was set to 1min instead of our 120min.

After searching through all the config files we notice only one configuration has timeout set to 1min.

We think by increasing the analytics robots session timeout to 120min will fix our random timeout issue, but my question is, will this have any negative performance impact or security issue by allowing robot sessions to live for 120min instead of 1min?

Thanks you for your suggestions.

I've log the issue with Sitecore and here's their response to the issue.

I don't think that the behaviour should be considered as a bug because Sitecore CMS was designed to be used with ASP.NET WebForms technology. While using web forms, the bot detection relies on the control in the of the page. It's natural that you can't use it in the ASP.NET MVC application, but there is an easy solution - put the following code inside the element:

<%
if (Context.Diagnostics.Tracing || Context.Diagnostics.Profiling)
{
  Response.Write("<!-- Visitor identification is disabled because debugging is active. -->");
}
else if (Tracker.IsActive && (Tracker.Visitor.VisitorClassification == 925))
{
  Response.Write("<link href=\"/layouts/System/VisitorIdentification.aspx\" rel=\"stylesheet\" type=\"text/css\" />");
}
%>

This seems like a different problem to me... I don't think it's an issue that robots are set for 1 minute session. You say the problem is "random", but is it possible what is really going on is that some site visitors are being mis-identified as robots?

I don't think you'll see any performance impact by changing the robot timeout, but that would be treating the symptom rather than finding the real cause.

I've log the issue with Sitecore and here's their response to the issue.

I don't think that the behaviour should be considered as a bug because Sitecore CMS was designed to be used with ASP.NET WebForms technology. While using web forms, the bot detection relies on the control in the of the page. It's natural that you can't use it in the ASP.NET MVC application, but there is an easy solution - put the following code inside the element:

<%
if (Context.Diagnostics.Tracing || Context.Diagnostics.Profiling)
{
  Response.Write("<!-- Visitor identification is disabled because debugging is active. -->");
}
else if (Tracker.IsActive && (Tracker.Visitor.VisitorClassification == 925))
{
  Response.Write("<link href=\"/layouts/System/VisitorIdentification.aspx\" rel=\"stylesheet\" type=\"text/css\" />");
}
%>

This was happening to us due to tracking prevention and ad blockers stopping Sitecore's robot detection component (VisitorIdentification.js) from being able to detect human behaviour.

To prevent logged-in users from being misclassified as bots, we added the following post-login code to mark any misclassified visitors as humans:

using Sitecore.Analytics;
using Sitecore.Analytics.Core;

// ...

private static void IdentifyUserAsHuman()
{
    const int HumanVisitorClassification = 0;

    var currentSession = Tracker.Current.Session;
    var isClassifiedAsHuman = ContactClassification.IsHuman(currentSession.Contact.System.Classification);
    if (!isClassifiedAsHuman)
    {
        currentSession.SetClassification(HumanVisitorClassification, HumanVisitorClassification, true);
    }
}