ASP/ASP.NET Session Timeout – How do I change it!?

20 minutes… 20 minutes… 20 minutes… Does this sound familiar?

You’re trying something simple, or so you thought, and increasing the session timeout of your website, but it doesn’t appear to be having any effect.

ASP.NET

Usually, the first and easiest thing to do is just change the configuration/system.web/sessionState@timeout value to something like “90”.  This should mean that you’d like your users’ sessions to be persisted until a 90 minute window of idle time has elapsed.

<configuration>
  <system.web>
  ...
   <sessionState timeout="90" />
  ...
 </system.web>
</configuration>

So, what do you do now? You go ahead and make sure it works… but wait… it still appears to be timing out after 20 minutes.

This doesn’t make any sense, it explicitly says that the session timeout should be exactly 90 minutes.

There’s a couple of issues that are tied together here:

  • The application pool’s worker process default idle timeout is also set to 20 minutes
  • The default mode of storing session state is in the IIS process

Application Pool Idle Timeout

The settings for the application pool can be found by clicking Properties (IIS 6) or Advanced Settings (IIS 7.5) on the application pool that the application is assigned to.

IIS 7.5 Idle Timeout IIS 6 Idle Timeout

Ensure this value is set to the timeout of your session, at a minimum, to ensure that all sessions persist for the entire session timeout period.

The reason that these two values are dependent on one another is because the session information is actually stored within the worker process of the application pool. That is to say, if the worker process is shutdown or killed for any reason, the session information will be lost.

Session Storage Mode

There are the modes of storing the session information:

  • InProc (or In Process) – Default – Stores session information within the IIS worker process
  • StateServer – Stores session information in a separate process (the ASP.NET state service)
  • SQLServer – Stores session information in a SQL database

The only mode that is vulnerable to losing session information on a worker process is when the state is stored in the worker process. Both StateServer and SQLServer modes are not affected by worker process resets. Likewise, StateServer and SQLServer modes are the only options when it is necessary to share session state across more than a single IIS server.

For more information about these modes, check out MSDN.

ASP

There’s two ways to change the session timeout when you’re dealing with classic ASP.

You can set it at the application level, or programmatically, which means that the value can be different within the application.

Application Level

Since it doesn’t specifically state that the setting is for classic ASP, it may be confusing to know that the value is in: Application Properties -> Configuration… -> Options -> Enable session state.

It’s as simple as updating this value, and the session timeout for your entire classic ASP application is changed!

Programmatically

You can also use modify the Session.Timeout property at runtime to affect the timeout period of the session. One popular location to put this piece of code is in the global.asa file.

<script language="VBScript" runat="Server">
Sub Session_OnStart
 Session.Timeout = 90
End Sub 
</SCRIPT>

Tags: , , , ,

This entry was posted on Wednesday, May 23rd, 2012 at 7:59 pm and is filed under ASP.NET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “ASP/ASP.NET Session Timeout – How do I change it!?”

Holdfast July 18th, 2012 at 6:43 pm

Thanks, this is a great summary of the factors that can affect the session.

Sedat Kumcu September 24th, 2012 at 4:17 pm

Thanks for this useful article. Best regards.

Saranya N November 7th, 2012 at 5:17 am

Thanks, this is great

Shweta December 6th, 2012 at 4:42 pm

Very Informative!!! Thanks.

MIKEL January 3rd, 2013 at 8:37 pm

Thanks a lot. it’s very helpful. great summary.

Asit April 11th, 2013 at 12:12 am

Thnaks…Really a great information about session

Ralph Jansen April 12th, 2013 at 9:19 am

Thank you for this article. I had the same strange problem that the user was kicked out within the 240 minutes that I had set. Hopefully this is the right solution

Leave a Reply

You must be logged in to post a comment.