1

what problems can be faced if one set up the session timeout too much.i have set up the session time from 20 to 100 in web config file of my website.Can it leads problems in future?

Khushi Sharma
  • 51
  • 1
  • 8

2 Answers2

2

Even though you are talking about a too high session timeout your question is about wrong question timeout which means also to olow session timeout so I'll talk about both possibilities here.

A too low session timeout can lead to unexpected behaviour and results as when you access session variables they are not filled any longer because the session expired. This can be quite cumbersome for example in a webshop if you add items and then go to cart and press order after a while and see that the order is empty because you took too long to press that button.

A "too high" session timeout can have a few sideeffects but the most troubling problem (if all was programmed correctly) is security. To understand why security we need to keep one thing in mind: What happens when the user closes the window instead of logging out (or does not do what you define that it ends the session). The browser when it is started again will still show all of the users session data. this is normally no problem on the personal PC of the user, but if he uses a public PC to access the site then it can cause quite a lot of security issues (like someone else having access to your bank account info, ....). Thus security is a major reason for choosing an as low session timeout as you can get away with.

A few sideeffects of high values would be that depending on your application data needs to be reloaded into the session (for example if we are talking about statistics that are stored there which could be modified by things other users do). Another thing would be memory consumption. The longer the session stays active the longer also the memory it uses stays used. Normally that should be no problem, BUT depending on your application it can lead to memory problems if the session data contains A LOT of data which is increased with each click (in over 10 years I ran into that problem only once and that was because of quite unique definitions for that one page that caused it).

Thus to summarize the following things are probably unwanted sideeffects of a too high session timeout:

  • Higher possibility of session highjacking when someone else uses the same client
  • Session data (depending on application though) can be too old so that the user sees data that is no longer up to date.
  • Out of memory problems / out of disk space problems (as sessions are most often stored on disk). This is like mentioned before extremely rare and in most cases if this happens it hs more to do with a wrongly built site than real problems with the timeout settings.
Thomas
  • 2,886
  • 3
  • 34
  • 78
  • thanks for this information @thomas. currently, i am getting the db issue. db is not getting updated after i increase the session timeout 100.it was earlier 20.can , it related to session ?please help – Khushi Sharma Dec 10 '14 at 03:55
  • Normally db and session are not connected to each other at all. So if you made no design "error" there, then a higher session timeout should not affect the db update at all. do you store something you need in the session? I mean not the data as that is clear, more like the connection itself or the connectionstring,... ? – Thomas Dec 10 '14 at 06:56
  • above statement we have used for session . please share your thoughts – Khushi Sharma Dec 10 '14 at 07:00
  • I think I found something there an old question: http://stackoverflow.com/questions/590967/asp-net-connection-string from what I gather he also had sessionState mode="InProc" and ran into the problem that sqls failed. take a look there if that helps with that else I'll look around more. – Thomas Dec 10 '14 at 07:13
  • Most of the time it is said that storing conection strings in session variables is not adviced. Most recommend to put these into encrypted config files. – Thomas Dec 10 '14 at 07:15
0

Yes. It will also open the window for attacks. You can also encounter memory overflow if session load increases. Higher value denotes how much time user can be idle.

Amit
  • 882
  • 6
  • 13
  • 1
    DB deadlocks? how are they connected with a session timeout? (as far as I'm aware a db connection timeout is still separate from the session timeout or am I wrong there?) – Thomas Dec 09 '14 at 11:44
  • hi @Amit, how can we get the information about the memory usages by application on server.please tell – Khushi Sharma Dec 11 '14 at 05:27
  • Use .NET profiler. You can also add performance counter for your web application and monitor those performance counters. Some useful links - http://msdn.microsoft.com/en-us/magazine/hh288073.aspx , http://stackoverflow.com/questions/3927/what-are-some-good-net-profilers . If you have ultimate edition of Visual studio then you can perform load testing before deploying it to server. http://msdn.microsoft.com/en-us/library/vstudio/dd293540(v=vs.110).aspx – Amit Dec 11 '14 at 05:40