ASP/ASP.NET Session
Timeout – How Do I Change It!?
20 minutes… 20 minutes… 20 minutes… Does this sound
familiar?
You’re trying something simple, or so you thought, and
increasing the session timeout of your website, but it doesn’t appear to be
having any effect.
ASP.NET
Usually, the first and easiest thing to do is just change
the configuration/system.web/sessionState@timeout value to something like
“90″. This should mean that you’d like
your users’ sessions to be persisted until a 90 minute window of idle time has
elapsed.
web.config
<system.web>
...
<sessionState
timeout="90" />
...
</system.web>
</configuration>
So, what do you do now? You go ahead and make sure it works…
but wait… it still appears to be timing out after 20 minutes.
This doesn’t make any sense, it explicitly says that the
session timeout should be exactly 90 minutes.
There’s a couple of issues that are tied together here:
·
The application pool’s worker process default
idle timeout is also set to 20 minutes
·
The default mode of storing session state is in the
IIS process
Application Pool Idle
Timeout
The settings for the application pool can be found by
clicking Properties (IIS 6) or Advanced Settings (IIS 7.5) on the application
pool that the application is assigned to.
Ensure this value is set to the timeout of your session, at
a minimum, to ensure that all sessions persist for the entire session timeout
period.
The reason that these two values are dependent on one
another is because the session information is actually stored within the worker
process of the application pool. That is to say, if the worker process is
shutdown or killed for any reason, the session information will be lost.
Session Storage Mode
There are the modes of storing the session information:
- · InProc (or In Process) – Default – Stores session information within the IIS worker process
- · StateServer – Stores session information in a separate process (the ASP.NET state service)
- · SQLServer – Stores session information in a SQL database
The only mode that is vulnerable to losing session
information on a worker process is when the state is stored in the worker
process. Both StateServer and SQLServer modes are not affected by worker
process resets. Likewise, StateServer and SQLServer modes are the only options
when it is necessary to share session state across more than a single IIS
server.
For more information about these modes, check out MSDN.
ASP
There’s two ways to change the session timeout when you’re
dealing with classic ASP.
You can set it at the application level, or
programmatically, which means that the value can be different within the
application.
Application Level
Since it doesn’t specifically state that the setting is for
classic ASP, it may be confusing to know that the value is in: Application
Properties -> Configuration… -> Options -> Enable session state.
It’s as simple as updating this value, and the session
timeout for your entire classic ASP application is changed!
Programmatically
You can also use modify the Session.Timeout property at
runtime to affect the timeout period of the session. One popular location to
put this piece of code is in the global.asa file.
global.asa
<script language="VBScript"
runat="Server">
Sub Session_OnStart
Session.Timeout = 90
End Sub
</SCRIPT>