0

I am trying to make the session timeout in my application configurable.

When I put the following code in my web.config file it works fine:

<sessionState cookieless="true" timeout="1" />

That is, I can see my session times out after 1 minute. However, this code has the side effect of putting the session id in the url which is not desirable.

On the other hand, if I use the following code in my web.config, the session does not timeout for at least 1 hour or longer:

<sessionState cookieless="false" timeout="1" />

To determine that the session is in fact timing out, I am using the following code in my _Layout.cshtml:

@if (Session[MvcApplication._Ssn_UserName] == null)
{
    Response.Redirect("~/Login/Index");
}

When the timeout is working, I see the user redirected to my Login page anytime they navigate to a different page or just hit the refresh button in the browser.

I see the same behavior when running from Visual Studio (IIS Express) or when running on IIS.

I've done a lot of searching online, and haven't discovered any correlation between the cookieless setting and the timeout behavior. Any ideas would be appreciated.

Jason D
  • 1,863
  • 2
  • 16
  • 30

1 Answers1

0

Try to use the iis session state setting as suggested below:

1)open iis and select your site.

2)select the session state feature

3)set the mode and cookie setting as per your choice:

enter image description here

session timeout value should not be set higher than 20 minutes (except in special cases) because every open session is holding onto memory. It should also not be set lower than 4 minutes because clients rarely respond within that time resulting in a loss of session state.so try to set like 5 minutes or more.

make sure there is no other session time out setting which conflicts with this setting like global.asax file setting or code-behind time out setting.

try to set the iis application pool ideal time out setting the same as session Tim out setting.

go to the Application Pool of the website --> go to advanced settings --> Process Model --> and change Idle Time-out

enter image description here

Jalpa Panchal
  • 8,251
  • 1
  • 11
  • 26
  • Hi Jalpa, thanks for the detailed suggestions. I tried everything above, but unfortunately it doesn't work for me. No matter what settings I use, no impact on session timeout. I am finding only if I change the session timeout in the web.config with cookieless=true, can I have an impact on the session timeout. And I think at least this link confirms my observations: [link]https://stackoverflow.com/questions/1544500/iis-session-timeout-vs-asp-net-session-timeout. Do you agree with the analysis in that post? – Jason D May 06 '20 at 11:36
  • @JasonD when you set cookieless="false" it means Session uses background cookie if cookies are enabled. If cookies are disabled, then the URL is used to store session information. so first check that the where your session is actually stored. and also try to set the Tim out value more than 5 minutes. – Jalpa Panchal May 07 '20 at 08:25
  • With cookieless="false", I set timeout greater than 5 minutes. It does not help. I can only make the session timeout if cookieless="true" – Jason D May 08 '20 at 11:16
  • @JasonD cookieless=flase means your session is stored in a cookie so check the cookie time out value. – Jalpa Panchal May 09 '20 at 05:44
  • Hi Jalpa, I assumed I am setting the cookie timeout value in the web.config itself. If that is not the place, then where am I supposed to configure the cookie timeout value? – Jason D May 12 '20 at 12:05
  • Hi Jalpa, I finally figured out what was wrong. I have a timer running in my layout that is making AJAX calls periodically. This had the inadvertent effect of keeping my session alive. Thanks again for the suggestions above. – Jason D May 12 '20 at 12:41