13

Site hosted via IIS 7.0

I would like to set my session time-out to 9 hours in my ASP.NET application.
This has been set at web.config

<sessionState timeout="540"></sessionState>

But, as I understand, if the timeout is set as 20 minutes inside the IIS where the website is hosted, setting an extended session state will be of no use.

Firstly, I would like to confirm whether this assumption is right.

The problem is that I do not have access to the IIS of my shared hosted web server.

Now, after some research, I came up with another solution in code project. This sounds like a wonderful idea. The idea is to insert an iframe to master page. The iframe will contain another page with meta refresh less than 20 minutes.

 Response.AddHeader("Refresh", "20");

This idea seemed good for me. But the article is 7 years old. Plus at comments section a user complaints that this won't work if the page is minimized and I am worried that the same happens when my pages tab is not active.

I would like to know these things

  1. Whether the refresh method will work for my scenario , even if the page is minimized?
  2. Are there any other methods that could increase session time out that overrides IIS timeout setting?
  3. Also I read some questions in Stack Overflow where the answers state that the IIS session timeout is for clasic ASP pages. Then why is not my extended timeout not firing?
naveen
  • 53,448
  • 46
  • 161
  • 251

1 Answers1

7

Firstly, I would like to confirm whether this assumption is right.

Yes, this assumption is absolutely right in case you are using in-memory session state mode. In this case the session is stored in memory and since IIS could tear down the AppDomain under different circumstances (period of inactivity, CPU/memory tresholds are reached, ...) the session data will be lost. You could use an out-of-process session state mode. Either StateServer or SQLServer. In the first case the session is stored in the memory of a special dedicated machine running the aspstate Windows service and in the second case it is a dedicated SQL Server. The SQL Server is the most robust but obviously the slowest.

1) Whether the refresh method will work for my scenario , even if the page is minimized?

The hidden iframe still works to maintain the session alive but as I said previously there might be some conditions when IIS unloads the application anyway (CPU/memory tresholds are reached => you could configure this in IIS as well).

2) Are there any other methods that could increase session time out that overrides IIS timeout setting?

The previous method doesn't increase the session timeout. It simply maintains the session alive by sending HTTP requests to the server at regular intervals to prevent IIS from bringing the AppDomain down.

3) Also I read some questions in Stack Overflow where the answers state that the IIS session timeout is for clasic ASP pages. Then why is not my extended timeout not firing?

There is no such thing as IIS session timeout. The session is an ASP.NET artifact. IIS is a web server that doesn't know anything about sessions.

Personally I don't use sessions in my applications. I simply disable them:

<sessionState mode="Off"></sessionState>

and use standard HTTP artifacts such as cookies, query string parameters, ... to maintain state. I prefer to persist information in my backend and retrieving it later using unique ids instead of relying on sessions.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • 1
    In IIS 6 you can configure a "Session timeout" in the website properties, tab "Home Directory", button "Configuration", tab "Options". – Andomar Dec 28 '11 at 13:42
  • @Andomar, oh, didn't know this. And what does this setting reflect? By what it is used? Classic ASP? Because for an ASP.NET session IIS doesn't have the word. – Darin Dimitrov Dec 28 '11 at 13:44
  • No idea, was hoping to find the answer here :) – Andomar Dec 28 '11 at 13:55
  • @DarinDimitrov: so what might be happening to my session. i am setting it to `` – naveen Dec 28 '11 at 16:14
  • @naveen, what are the symptoms? Are you loosing session data? If this is the case, this is a strong indication that the AppDomain got recycled by the web server. – Darin Dimitrov Dec 28 '11 at 16:15
  • @DarinDimitrov: I am loosing session data. Its like `Session["NeverBeNull"] == null`. Plus, I do not have any control over web server. What could be done? – naveen Dec 28 '11 at 16:22
  • @naveen, if you don't have access to the server I suppose that you cannot use an out-of-process session? If this is the case you could always try the iframe hack but it might not be 100% reliable. The best solution is not to use session at all. This way the problem will be solved in a 100% reliable manner. – Darin Dimitrov Dec 28 '11 at 16:24
  • @DarinDimitrov: I will try using an iframe and let you know how that worked. Just curious, what do you use instead of session to pass data between pages for webforms? – naveen Dec 28 '11 at 16:33
  • 2
    @naveen, I use cookies and when I need to pass complex objects I choose between POSTing, query string parameters or persisting the object into my backend and then fetching it back given an id. There are so many possibilities. Everything will depend on my exact scenario and what I am trying to do. There is no single answer to this question. – Darin Dimitrov Dec 28 '11 at 16:51
  • thanks a lot for your insights darin. that was really helpful – naveen Dec 29 '11 at 09:19
  • In the case of IIS, the default 20 minutes time-out for the application pool is referring to incoming requests. If your application doesn't receive any requests at all for 20 minutes then the application pool is put to sleep to save resources. When this happens all the sessions in your application are gone. As far as I am aware, others may be able to verify. – RobS Mar 15 '13 at 04:13