0

I have an ASP.NET MVC application with the following in place:

Upon successful login:

Session.Timeout = 9999;

and in the web.config file, I have:

<sessionState timeout="9999" />

Additionally: authentication mode is not specified, as it links to Azure AD for authentication.

Now the problem: if I leave the application for a period of time after logging in (approx 1.5 hours), if I try to access a session variable, it will return null (eg upon page refresh).

Somewhere, the session is timing out much sooner than the specified time in both the code and web.config file. Is there anywhere else I need to check?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Notaras
  • 611
  • 1
  • 14
  • 44
  • possible duplicate of https://stackoverflow.com/questions/648992/session-timeout-in-asp-net – RatzMouze Aug 08 '23 at 05:25
  • What's the version? MVC 4, MVC 5, MVC 6? – SNBS Aug 09 '23 at 11:48
  • @SNBS MVC version 4 – Notaras Aug 10 '23 at 00:34
  • Possible cause https://learn.microsoft.com/en-us/answers/questions/561199/the-session-state-is-timeout-in-seconds-instead-of (issue is in the ASP.NET platform, so no matter that it's about Web Forms) – SNBS Aug 10 '23 at 11:59
  • As an experiment, try setting `cookieless="true"` in `sessionState` in `web.config` and tell me if that works. *You should not do that in a production environment, for it embeds session data into the URL and thus poses a big security risk.* – SNBS Aug 10 '23 at 12:02

2 Answers2

1

The session timeout configuration work as you've described, authentication token issued by Azure AD have their own lifetime that could affect your session. Azure AD tokens have their own expiration time, which might differ from the session timeout you've set in your application.

Make sure to check the token lifetime settings in your Azure AD configuration.

Configure session timeout

  1. In the Power Platform admin center, select an environment.

  2. Select Settings > Product > Privacy + Security.

  3. Set Session Expiration and Inactivity timeout. These settings apply to all users.

ref: Link1, link2

MD. RAKIB HASAN
  • 3,670
  • 4
  • 22
  • 35
1

You also have to configure your idle timeout, since the logic of session timing out, can be reset if a user is not idle.

For MSDN reference IdleTimeOut & SessionOptions

IdleTimeOut

Make sure you setup/configure your IdleTimeout in your SessionOptions Like so:

// Appsettings.json setup your idle options
"SessionOptions": {
    "IdleTimeout": "00:10:00"
}

SessionOptions

Transformer
  • 6,963
  • 2
  • 26
  • 52