Menu
In web.config, I set timeout in the sessionState to 20 minutes. According to MSDN, this timeout specifies the number of minutes a session can be idle before it is abandoned. In IIS 7, DefaultWebSite->Session State->Cookie Settings->Time Out automatically is populated with timeout value set in web.config, which in my case is 20 minutes. Also, Application Pools->DefaultAppPool->Advanced Settings->idleTimeout, I set it to 10 minutes.
Then I made two tests: First test: I logged in my web app at 3:45pm, idling for 10 minutes. At 3:55pm, I tried to use my app, I got kicked out. I think the idleTimeout comes in play.
Second test: I logged in my web app at 4:00pm, play with the app at 4:05pm, 4:10pm, 4:15pm and 4:20pm. I expected being kicked out at 4:20pm. But I was not. I thought the session state timeout (20min) in IIS 7 is the the maximum amount of time a user session can be active before the Web Agent challenges the user to re-authenticate. Apparently from this test, it is not. Can anyone explain that to me? Also, how could I set the timeout for above case?
204
Session timeout represents the event occuring when a user does not perform any action on a web site during an interval (defined by a web server). The event, on the server side, changes the status of the user session to 'invalid' (ie.
Click on Start -> Administrative Tools -> IIS. Click on the website name and open ASP feature from IIS group. Expand Session Properties under Services and as per requirement modify Time-Out value [Default Value is 00:20:00 (HH:MM:SS)]. From the Actions Pane, click on Apply link to save the changes.
The ConnectionTimeout property specifies the amount of time (in seconds) that the server waits before disconnecting an inactive connection. Specify a value between 1 and 65535 (0xffff). If a value outside of this range is specified, IIS uses the default of 120 seconds.
Absolute session timeout is a recommended security feature, while idle session timeout is mainly a resource management feature. Absolute session timeout requires all Spotfire users to log in to the program again after the configured amount of time.
Session time-out is a sliding time-out that is reset for a user to the configured value each time they visit the server.
The Application Idle time-out kicks in if there have been no requests to your application for that period of time.
The usual scenarios is therefore:
| Time | User A | User B | Session States |
|---|---|---|---|
12:00 | Visits Page1 | A: New Session, Time-out: 20 minutes | |
12:02 | Visits Page2 | A: Time-out reset: 20 minutes | |
12:10 | Visits Page1 | A: Time-out: 12 min; B: New: 20 minutes | |
12:15 | Visits Page2 | A: Time-out: 07 min; B: Time-out: 20 min | |
12:22 | A: times out; B: 13 min remaining | ||
12:32 | Application Shuts Down (Idle time reached) | ||
12:35 | Visits Page3 | A: New Session Starts |
If User A were to return to the site after 12:22 they would have a completely new session, and any values you've stored in there previously would be lost.
The only way to ensure that a session persists over application restarts is to configure either a SessionState service or SQL Session States, and ensure that you've configured the machine.key so that's it not AutoGenerated each time the server restarts.
If you're using the standard ASP.NET mechanisms for authentication, then ASP.NET will will issue two cookies to each user:
Both of those cookies are encrypted using the MachineKey - so if your application recycles and generates a new key neither of those tokens can be decrypted, requiring the user to log in and create a new session.
Responding to comments:
Session.Add(string, object) method.
136
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
