Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Increasing Session TimeOut

Site hosted via IIS 7.0

I would like to set my session time-out to 9 hours in my ASP.NET application.
This has been set at web.config

<sessionState timeout="540"></sessionState>

But, as I understand, if the timeout is set as 20 minutes inside the IIS where the website is hosted, setting an extended session state will be of no use.

Firstly, I would like to confirm whether this assumption is right.

The problem is that I do not have access to the IIS of my shared hosted web server.

Now, after some research, I came up with another solution in code project. This sounds like a wonderful idea. The idea is to insert an iframe to master page. The iframe will contain another page with meta refresh less than 20 minutes.

 Response.AddHeader("Refresh", "20");

This idea seemed good for me. But the article is 7 years old. Plus at comments section a user complaints that this won't work if the page is minimized and I am worried that the same happens when my pages tab is not active.

I would like to know these things

  1. Whether the refresh method will work for my scenario , even if the page is minimized?
  2. Are there any other methods that could increase session time out that overrides IIS timeout setting?
  3. Also I read some questions in Stack Overflow where the answers state that the IIS session timeout is for clasic ASP pages. Then why is not my extended timeout not firing?
like image 649
naveen Avatar asked Dec 28 '11 13:12

naveen


1 Answers

Firstly, I would like to confirm whether this assumption is right.

Yes, this assumption is absolutely right in case you are using in-memory session state mode. In this case the session is stored in memory and since IIS could tear down the AppDomain under different circumstances (period of inactivity, CPU/memory tresholds are reached, ...) the session data will be lost. You could use an out-of-process session state mode. Either StateServer or SQLServer. In the first case the session is stored in the memory of a special dedicated machine running the aspstate Windows service and in the second case it is a dedicated SQL Server. The SQL Server is the most robust but obviously the slowest.

1) Whether the refresh method will work for my scenario , even if the page is minimized?

The hidden iframe still works to maintain the session alive but as I said previously there might be some conditions when IIS unloads the application anyway (CPU/memory tresholds are reached => you could configure this in IIS as well).

2) Are there any other methods that could increase session time out that overrides IIS timeout setting?

The previous method doesn't increase the session timeout. It simply maintains the session alive by sending HTTP requests to the server at regular intervals to prevent IIS from bringing the AppDomain down.

3) Also I read some questions in Stack Overflow where the answers state that the IIS session timeout is for clasic ASP pages. Then why is not my extended timeout not firing?

There is no such thing as IIS session timeout. The session is an ASP.NET artifact. IIS is a web server that doesn't know anything about sessions.

Personally I don't use sessions in my applications. I simply disable them:

<sessionState mode="Off"></sessionState>

and use standard HTTP artifacts such as cookies, query string parameters, ... to maintain state. I prefer to persist information in my backend and retrieving it later using unique ids instead of relying on sessions.

like image 120
Darin Dimitrov Avatar answered Sep 19 '22 04:09

Darin Dimitrov