ASP/ASP.NET Session Timeout – How do I change it!?
20 minutes… 20 minutes… 20 minutes… Does this sound familiar?
You’re trying something simple, or so you thought, and increasing the session timeout of your website, but it doesn’t appear to be having any effect.
Usually, the first and easiest thing to do is just change the configuration/system.web/sessionState@timeout value to something like “90”. This should mean that you’d like your users’ sessions to be persisted until a 90 minute window of idle time has elapsed.
<configuration> <system.web> ... <sessionState timeout="90" /> ... </system.web> </configuration>
So, what do you do now? You go ahead and make sure it works… but wait… it still appears to be timing out after 20 minutes.
This doesn’t make any sense, it explicitly says that the session timeout should be exactly 90 minutes.
There’s a couple of issues that are tied together here:
- The application pool’s worker process default idle timeout is also set to 20 minutes
- The default mode of storing session state is in the IIS process
Application Pool Idle Timeout
The settings for the application pool can be found by clicking Properties (IIS 6) or Advanced Settings (IIS 7.5) on the application pool that the application is assigned to.
|IIS 7.5 Idle Timeout||IIS 6 Idle Timeout|
Ensure this value is set to the timeout of your session, at a minimum, to ensure that all sessions persist for the entire session timeout period.
The reason that these two values are dependent on one another is because the session information is actually stored within the worker process of the application pool. That is to say, if the worker process is shutdown or killed for any reason, the session information will be lost.
Session Storage Mode
There are the modes of storing the session information:
- InProc (or In Process) – Default – Stores session information within the IIS worker process
- StateServer – Stores session information in a separate process (the ASP.NET state service)
- SQLServer – Stores session information in a SQL database
The only mode that is vulnerable to losing session information on a worker process is when the state is stored in the worker process. Both StateServer and SQLServer modes are not affected by worker process resets. Likewise, StateServer and SQLServer modes are the only options when it is necessary to share session state across more than a single IIS server.
For more information about these modes, check out MSDN.
There’s two ways to change the session timeout when you’re dealing with classic ASP.
You can set it at the application level, or programmatically, which means that the value can be different within the application.
Since it doesn’t specifically state that the setting is for classic ASP, it may be confusing to know that the value is in: Application Properties -> Configuration… -> Options -> Enable session state.
It’s as simple as updating this value, and the session timeout for your entire classic ASP application is changed!
You can also use modify the Session.Timeout property at runtime to affect the timeout period of the session. One popular location to put this piece of code is in the global.asa file.
<script language="VBScript" runat="Server"> Sub Session_OnStart Session.Timeout = 90 End Sub </SCRIPT>
This entry was posted on Wednesday, May 23rd, 2012 at 7:59 pm and is filed under ASP.NET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.