Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does the session timeout work in IIS 7?

In web.config, I set timeout in the sessionState to 20 minutes. According to MSDN, this timeout specifies the number of minutes a session can be idle before it is abandoned. In IIS 7, DefaultWebSite->Session State->Cookie Settings->Time Out automatically is populated with timeout value set in web.config, which in my case is 20 minutes. Also, Application Pools->DefaultAppPool->Advanced Settings->idleTimeout, I set it to 10 minutes.

Then I made two tests: First test: I logged in my web app at 3:45pm, idling for 10 minutes. At 3:55pm, I tried to use my app, I got kicked out. I think the idleTimeout comes in play.

Second test: I logged in my web app at 4:00pm, play with the app at 4:05pm, 4:10pm, 4:15pm and 4:20pm. I expected being kicked out at 4:20pm. But I was not. I thought the session state timeout (20min) in IIS 7 is the the maximum amount of time a user session can be active before the Web Agent challenges the user to re-authenticate. Apparently from this test, it is not. Can anyone explain that to me? Also, how could I set the timeout for above case?

like image 204
GLP Avatar asked Feb 21 '12 21:02

GLP


People also ask

How does session timeout work?

Session timeout represents the event occuring when a user does not perform any action on a web site during an interval (defined by a web server). The event, on the server side, changes the status of the user session to 'invalid' (ie.

How do I set session timeout in IIS?

Click on Start -> Administrative Tools -> IIS. Click on the website name and open ASP feature from IIS group. Expand Session Properties under Services and as per requirement modify Time-Out value [Default Value is 00:20:00 (HH:MM:SS)]. From the Actions Pane, click on Apply link to save the changes.

What is IIS connection timeout?

The ConnectionTimeout property specifies the amount of time (in seconds) that the server waits before disconnecting an inactive connection. Specify a value between 1 and 65535 (0xffff). If a value outside of this range is specified, IIS uses the default of 120 seconds.

What is the difference between session timeout and idle timeout?

Absolute session timeout is a recommended security feature, while idle session timeout is mainly a resource management feature. Absolute session timeout requires all Spotfire users to log in to the program again after the configured amount of time.


1 Answers

Session time-out is a sliding time-out that is reset for a user to the configured value each time they visit the server.

The Application Idle time-out kicks in if there have been no requests to your application for that period of time.

The usual scenarios is therefore:

Time User A User B Session States
12:00 Visits Page1 A: New Session, Time-out: 20 minutes
12:02 Visits Page2 A: Time-out reset: 20 minutes
12:10 Visits Page1 A: Time-out: 12 min; B: New: 20 minutes
12:15 Visits Page2 A: Time-out: 07 min; B: Time-out: 20 min
12:22 A: times out; B: 13 min remaining
12:32 Application Shuts Down (Idle time reached)
12:35 Visits Page3 A: New Session Starts

If User A were to return to the site after 12:22 they would have a completely new session, and any values you've stored in there previously would be lost.

The only way to ensure that a session persists over application restarts is to configure either a SessionState service or SQL Session States, and ensure that you've configured the machine.key so that's it not AutoGenerated each time the server restarts.

If you're using the standard ASP.NET mechanisms for authentication, then ASP.NET will will issue two cookies to each user:

  1. Authentication Token: Controlled by the Authentication time-out setting, allows the user to be auto logged in to your site if the cookie hasn't expired, this can be fixed or sliding, and defaults to 30 minutes, which means their authentication token can cope with a longer "idle" period than their session.
  2. Session Token: Controlled by the Session Time-out setting, allows your application to store and access per-user values during the lifetime of their visit.

Both of those cookies are encrypted using the MachineKey - so if your application recycles and generates a new key neither of those tokens can be decrypted, requiring the user to log in and create a new session.


Responding to comments:

  1. The 20 minute session time-out relates to items you've placed in the users session object (HttpSessionState) using the Session.Add(string, object) method.
  2. That depends. If you've correctly configured the machine.key, authentication tokens will still be valid, and if your sessions are no longer "InProc" these will also persist through application restarts and will still be readable - see notes above.
like image 136
Zhaph - Ben Duguid Avatar answered Sep 24 '22 05:09

Zhaph - Ben Duguid