6

I was considering using <sessionState mode="InProc" timeout="45" /> because some users are repeatedly logging in, and I would like to save them some time. However, before I add this to my web.config file, I wanted to make sure there would be no side affects.

I read up on sessionState versions, although I already am fairly aware of what goes on, I was curious to know what the default setting for an asp.net mvc 3 application was as there is no defined sessionState inside of my system.web at this time.

I know that the application has access to Session["key"] without the declaration, although I try to avoid putting that type of load on the Session. I would assume that there is a setting in IIS 7 which my application is inheriting (This application is on a shared hosting environment).

I understand that there could be issues if I was using a dedicated database or server for the Session, but this is just a basic setup as far as that goes, nothing fancy.

Is there a default sessionState for asp.net mvc 3? Is it just being inherited? Will there be side affects from overriding it in my web.config if it is defined elsewhere in IIS?

Travis J
  • 81,153
  • 41
  • 202
  • 273
  • I'm sorry to be slightly off-topic, but sessions have rather bad reputation as being inreliable, so ... ;) – Paweł Staniec Jan 16 '13 at 18:23
  • @torm - I agree, I am not planning on using them. But how else would I control the length of time before a user is automatically logged out due to inactivity? – Travis J Jan 16 '13 at 18:26
  • first thing that comes to my mind? if user navigates through pages he's not idle, so the only thing to detect would be maybe mouse movement detection with javascript and globally defined variable to compare to? there are examples in the web, and the 'idle user detection' is being broadly discussed on the SO :) – Paweł Staniec Jan 16 '13 at 18:38
  • 1
    @torm - The issue is not that the user takes 20 minutes on one page, it is that they have no interaction with the site at all for 20 minutes, and then are logged out. There is no debate there, regardless of a client side intrusive method, their session will expire automatically. Please provide evidence for your claims of Session being unreliable in the sense of authentication (as its current use is widespread I am sure some people would love to hear your argument). As for the `idle user detection`, some evidence there would be nice as well. I pretty much disagree with your whole comment. – Travis J Jan 16 '13 at 19:02
  • so what about the cookie that is being stored in users browser ? :) isnt' that for authentication? you can read a lot about problems with sessions and why people avoid them http://stackoverflow.com/questions/665029/should-i-use-asp-net-sessions-or-avoid-them-and-why, http://www.hanselman.com/blog/TroubleshootingExpiredASPNETSessionStateAndYourOptions.aspx or just read some Darin Dimitorv's answers ("Using Session is bad." :D ) but I don't want to argue. Any approach is good if it works the way you want it to. – Paweł Staniec Jan 16 '13 at 20:16

2 Answers2

5

As of now the default Timeout = 20 minutes.

These are the default values for .Net Framework 4. I think they don't change because of MVC 3.

Leniel Maccaferri
  • 100,159
  • 46
  • 371
  • 480
Anderson Pimentel
  • 5,086
  • 2
  • 32
  • 54
  • 1
    I had looked at this page: http://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.71).aspx , but did not find the link you posted in your answer when searching. You are correct in that the `.Net` values should not change for `mvc`. Thank you for the information, it clearly states `The default is the InProc value.` and the default timeout is `20`. – Travis J Jan 16 '13 at 18:31
  • You're welcome! BTW, MSDN has been a little "wild" after the last layout changes. =D – Anderson Pimentel Jan 16 '13 at 18:35
0

The accepted answer is correct, but possibly the OP is actually meaning to ask about authentication timeout which would be 30 minutes.

I know this is old but though it important to clarify that session state has nothing to do with authentication. The OP does not state what form of authentication is in use. Assuming Forms Authentication, then the default timeout for that is 30 minutes and is controlled in the <authentication...<forms element in web.config. I have found it best to have your authentication timeout set to less than your session timeout when using in-proc session. I tend to use out of process session as a preference, as it preserves session data from app-pool recycles.

hollystyles
  • 4,979
  • 2
  • 36
  • 38
  • I think it’s the other way around. See https://stackoverflow.com/questions/17812994/forms-authentication-timeout-vs-sessionstate-timeout. And https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-1.1/h6bb9cz9(v=vs.71) from above. Thanks for the recommendation on using `StateServer` `sessionState` mode. – Dennis T --Reinstate Monica-- Aug 31 '18 at 12:55