Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Increasing session timeout to a week or more

In order to increase session timeout, it appears I would use the following setting:

<system.web>
  <sessionState mode="InProc" timeout="20" />
  /* Etc... */
</system.web>

Here the timeout is set to 20 minutes (the default value). And, apparently, the maximum value is 525,600 minutes, or one year.

I can come back to Facebook a week later and I'm still logged in. This is how I want my application to behave. But according to this answer, this can adversely affect performance because "your inactive sessions will remain in Web server memory which may cause application pool to recycle, which would result in loosing all sessions for all users."

Does anyone know the details about this performance hit? And, if it's for real, is there a more performant way to keep users logged in like sites such as Facebook?

UPDATE:

Below is the relevant section of my current web.config file.

<system.web>
  <authentication mode="None" />
  <sessionState mode="InProc" timeout="60" />
  <compilation debug="true" targetFramework="4.6" />
  <httpRuntime targetFramework="4.5.2" executionTimeout="240" maxRequestLength="20480" />
  <httpModules>
    <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
  </httpModules>
  <customErrors mode="Off"></customErrors>
</system.web>
<system.webServer>
  <modules>
    <remove name="FormsAuthentication" />
    <remove name="ApplicationInsightsWebTracking" />
    <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
  </modules>
  <validation validateIntegratedModeConfiguration="false" />
  <security>
    <requestFiltering>
      <requestLimits maxAllowedContentLength="20971520" />
    </requestFiltering>
  </security>
</system.webServer>

UPDATE 2:

Looks like I was incorrectly conflating two issues (authentication and session state). I apologize for not correctly sorting through some issues I was Googling on. My goal is only to extended the length of time a user is logged in.

like image 510
Jonathan Wood Avatar asked Aug 19 '17 15:08

Jonathan Wood


1 Answers

For Login, you must use FormsAuthentication or ASP.NET Identity (Improved version of cookie based authentication over FormsAuthentication) which allows you to keep authentication cookie for more then weeks/months. FormsAuthentication is stateless, and in order to support multiple servers, you can use single machineKey in all servers. All samples and tutorials mostly guide to use FormsAuthentication by default.

Faceboook and everyone use authentication cookie, no body uses Session for login.

Ideally Session is bad and mostly unnecessary. It can be replaced with HttpRuntime.Cache. Cache can be easily setup to use some external provider such as Fabric cache or Redis. To make cache isolated by user, you can simply append keys of cached item with username.

UPDATE

There is no downside in using FormsAuthentication except that there is little CPU overhead required in decrypting cookie, but that can also be avoided by caching authentication ticket.

The only reason to support Session could be compatibility with old ASP application they might be supporting.

In the new ASP.NET MVC sample, they have configured cookie based authentication in code (in startup), which is not session. Though session is configured in web.config but as long as you don't want to store anything in session, you can completely disable it.

like image 85
Akash Kava Avatar answered Sep 28 '22 12:09

Akash Kava