ASP.NET Session Vs Cookie expiration

Question

My ASP.NET Web-Forms application has following configuration setting

<sessionState mode="StateServer" timeout=60" />

I believe, when a new session is created,

1. A bucket is created on Server side (state service or in-proc) to store data for this user session, identifiable by a unique ID
2. A cookie, named (ASP.NET_SessionId) is sent to browser with a unique ID.

Queries,

1. How to set/control expiration duration of session (#1 above) on server side
2. How to set/control expiration duration of cookie (#2 above) on client side
3. With above configuration setting, the expiration for cookie on **Firefox** is set to (SESSION) and the cookie gets lost when browser is closed, while on **Chrome**, the expiration is set to (1 Year). How can these durations be controlled from within asp.net application? I want to set expiration on Firefox to 1 year as well

Answer 1

Session cookies are set/controlled server side, by the Session and the sessionState object.

By setting a session timeout, the session cookie is also set and on each request they are matched/checked against each other, to evaluate whether one or the other has expired.

I recommend to read about them here, since it is way to much to post

• https://msdn.microsoft.com/en-us/library/ms178194.aspx
• https://msdn.microsoft.com/en-us/library/ms178581.aspx

Answer 2

In ASP.Net, we should not altering or modifying Session cookie directly, because there is no information inside except Session Id. Look at the screen shot.

If you want to increase or decrease session timeout, you just modify sessionState like you have in your question.

I want to set expiration on Firefox to 1 year as well

You cannot and should not set Session state expiration to 1 year.

It seems that you confuse with Forms authentication timeout vs sessionState timeout.