Problem with session timeout in C#

Question

In my web.config file I tried Session.Timeout="1" and found working. Later I tried Session.Timeout="20160". Even if I give such a large number my website "Session Transfers" are being expired in 15-20mins. Do I need to change any settings in IIS? I am using windows 2003 server.

Are you using Forms Authentication for your pages by any chance? — Dan7el, Jul 06 '11 at 12:42
Not sure but I think yes. Its default IIS provided with windows 2003 server. — Karthik Malla, Jul 06 '11 at 12:43
Is the website shutting down? Session timeout won't stop your websites app domain being shut down by IIS if the website is inactive. Try logging the Application_End event in Global.asax. You can increase the idle timeout in the IIS configuration for the site. — James Gaunt, Jul 06 '11 at 12:45
I am sending a code from one page to another for authentication. This code is currently stored as session. When I reload page instantly there is no problem. If I reload page after 20 mins page is being redirected to login page. i.e. there is no more session code present over the page. — Karthik Malla, Jul 06 '11 at 12:50
If it's exactly 20 mins then this is also the default idle timeout - so if your site is idle for that 20 mins then increase the idle timeout in the iis settings. — James Gaunt, Jul 06 '11 at 13:00
Try setting you session.Timeout to 1440. Your Session variables are no longer valid when referenced after 24 hours(1440). Which is why setting it to 20160 does nothing — Gage, Jul 06 '11 at 13:05

score 2 · Answer 1 · answered Jul 06 '11 at 12:37

2

define in the web configuration file:

<sessionstate 
      mode="inproc"
       cookieless="false" 
      timeout="20" 
     />

answered Jul 06 '11 at 12:37

score 0 · Answer 2 · answered Jul 06 '11 at 12:34

0

define in here in web.config file:

 <system.web>
     <authentication mode="Forms">
         <forms timeout="50" />
     </authentication>
 </system.web>

answered Jul 06 '11 at 12:34

Saeed Neamati

35,341
41
136
188

What about declaration in – Karthik Malla Jul 06 '11 at 12:38
1

In that case, I post a new question to know what is their difference? – Saeed Neamati Jul 06 '11 at 12:41
1

cookieless sessions can easily be hijacked, so try and avoid. the following article outlines the problems. http://www.troyhunt.com/2010/07/owasp-top-10-for-net-developers-part-3.html – Nickz Jul 06 '11 at 12:47
1

@Nick - But its cookieless="false" na? – Karthik Malla Jul 06 '11 at 12:58
2

@kars, just wanted to point out its important to avoid cookieless sessions. – Nickz Jul 06 '11 at 13:28

score 0 · Accepted Answer · answered Jul 06 '11 at 12:37

0

check this :

http://forums.asp.net/t/1283350.aspx

answered Jul 06 '11 at 12:37

Ovais Khatri

3,201
16
14

I configured my server with these settings before a month but instead to change values for 20 to 14400 I disabled the check box and saved settings. Hope this will be optimized to the maximum time. – Karthik Malla Jul 06 '11 at 12:46

Gage · Answer 4 · 2011-07-06T12:46:47.733

0

Seems like session timeout has a max of 24 hours. Check this out http://support.microsoft.com/kb/233477

Set it to 24 hours or less and you will be fine.

Also explained here: http://msdn.microsoft.com/en-us/library/ms525473(v=vs.90).aspx

IIS 6.0: The minimum allowed value is 1 minute and the maximum is 1440 minutes.

edited Jul 06 '11 at 12:46

answered Jul 06 '11 at 12:40

Gage

7,365
9
47
77

Problem with session timeout in C#

4 Answers4