Monday, 3 June 2013

ASP/ASP.NET Session Timeout – How Do I Change It!?
20 minutes… 20 minutes… 20 minutes… Does this sound familiar?
You’re trying something simple, or so you thought, and increasing the session timeout of your website, but it doesn’t appear to be having any effect.
ASP.NET
Usually, the first and easiest thing to do is just change the configuration/system.web/sessionState@timeout value to something like “90″.  This should mean that you’d like your users’ sessions to be persisted until a 90 minute window of idle time has elapsed.
web.config
<configuration>
  <system.web>
  ...
   <sessionState timeout="90" />
  ...
 </system.web>
</configuration>

So, what do you do now? You go ahead and make sure it works… but wait… it still appears to be timing out after 20 minutes.
This doesn’t make any sense, it explicitly says that the session timeout should be exactly 90 minutes.
There’s a couple of issues that are tied together here:
·         The application pool’s worker process default idle timeout is also set to 20 minutes
·         The default mode of storing session state is in the IIS process

Application Pool Idle Timeout
The settings for the application pool can be found by clicking Properties (IIS 6) or Advanced Settings (IIS 7.5) on the application pool that the application is assigned to.
 
Ensure this value is set to the timeout of your session, at a minimum, to ensure that all sessions persist for the entire session timeout period.
The reason that these two values are dependent on one another is because the session information is actually stored within the worker process of the application pool. That is to say, if the worker process is shutdown or killed for any reason, the session information will be lost.
Session Storage Mode
There are the modes of storing the session information:

  • ·         InProc (or In Process) – Default – Stores session information within the IIS worker process
  • ·         StateServer – Stores session information in a separate process (the ASP.NET state service)
  • ·         SQLServer – Stores session information in a SQL database
The only mode that is vulnerable to losing session information on a worker process is when the state is stored in the worker process. Both StateServer and SQLServer modes are not affected by worker process resets. Likewise, StateServer and SQLServer modes are the only options when it is necessary to share session state across more than a single IIS server.
For more information about these modes, check out MSDN.
ASP
There’s two ways to change the session timeout when you’re dealing with classic ASP.
You can set it at the application level, or programmatically, which means that the value can be different within the application.
Application Level
Since it doesn’t specifically state that the setting is for classic ASP, it may be confusing to know that the value is in: Application Properties -> Configuration… -> Options -> Enable session state.
It’s as simple as updating this value, and the session timeout for your entire classic ASP application is changed!

Programmatically
You can also use modify the Session.Timeout property at runtime to affect the timeout period of the session. One popular location to put this piece of code is in the global.asa file.

global.asa
<script language="VBScript" runat="Server">
Sub Session_OnStart
 Session.Timeout = 90
End Sub

</SCRIPT>
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)