I am trying to make the session timeout in my application configurable.
When I put the following code in my web.config file it works fine:
<sessionState cookieless="true" timeout="1" />
That is, I can see my session times out after 1 minute. However, this code has the side effect of putting the session id in the url which is not desirable.
On the other hand, if I use the following code in my web.config, the session does not timeout for at least 1 hour or longer:
<sessionState cookieless="false" timeout="1" />
To determine that the session is in fact timing out, I am using the following code in my _Layout.cshtml:
#if (Session[MvcApplication._Ssn_UserName] == null)
{
Response.Redirect("~/Login/Index");
}
When the timeout is working, I see the user redirected to my Login page anytime they navigate to a different page or just hit the refresh button in the browser.
I see the same behavior when running from Visual Studio (IIS Express) or when running on IIS.
I've done a lot of searching online, and haven't discovered any correlation between the cookieless setting and the timeout behavior. Any ideas would be appreciated.
Try to use the iis session state setting as suggested below:
1)open iis and select your site.
2)select the session state feature
3)set the mode and cookie setting as per your choice:
session timeout value should not be set higher than 20 minutes (except in special cases) because every open session is holding onto memory. It should also not be set lower than 4 minutes because clients rarely respond within that time resulting in a loss of session state.so try to set like 5 minutes or more.
make sure there is no other session time out setting which conflicts with this setting like global.asax file setting or code-behind time out setting.
try to set the iis application pool ideal time out setting the same as session Tim out setting.
go to the Application Pool of the website --> go to advanced settings --> Process Model --> and change Idle Time-out
Related
I'm having issues with session timeout issues with a public facing site that is utilized by several clients that may have various "secured" browser configurations. In general we have the session timeout set for 15 mins within the web.config. However, they are getting a timeout within a min or within 30 seconds or so for every page postback. Within our environment and with some other clients they have no issues and the timeout occurs as expected. We are unable to access their systems and know very little about their infrastructure. The only thing I'm thinking is they may have configuration to disallow cookies or delete/wipe them every few seconds etc. Not sure....
I'm at a loss on what to look at as within our web.config we set our sessionstate as follows.
<sessionState allowCustomSqlDatabase="true" cookieless="UseCookies" mode="InProc" sqlConnectionString="somestring Integrated Security=SSPI;pooling=true;encrypt=true;trustservercertificate=true" timeout="15">
If someone has ideas on where to look.
Where does classic ASP store the value for session timeout? I have looked through the code and this classic ASP website isn't using Global.asa(so no "Session_OnStart") or Session.timeout=x. The website is hosted on IIS 7.On IIS for this website,in Features view,double-clicking on "ASP" -> Session Properties -> Enable session is set to 'True' and the Time-out value is set to 20. The problem is: though the session time-out is set to 20 mins. on IIS,it times out after 5 minutes. Is there any other way/place to modify the session timeout value for this classic ASP website?
Can someone help me with this please?
Edit: I looked at the settings for the application pool.The Idle time-out is 20 mins. and Recycling->Regular Time Interval is set to 1740.
Following on from my comments, your Recycling settings need to be set like the following image to make sure the Application Pool will not be reset.
It's also worth setting the "Generate Recycle Event log Entry" so you can see what events are causing your Application Pool to reset. That way you can monitor it in the Event Viewer.
Useful Links
Why is the IIS default app pool recycle set to 1740 minutes? (Saturday, April 6, 2013)
You can do it 2 way.
Put global asa file into root of your site and define session time out there
You can introduce following line on top of each of the pages in question (if you not using include header)
<%
Session.Timeout=20
Server.ScriptTimeout=1200
%>
20 is been period in minutes and 1200 is same period in seconds. Keep in mind that server takes a seconds not a minutes!!! By default IIS terminates any script if it runs longer then 90 seconds.
If you using include file as a header then you will need to do it only once there, on the top of the page right after option explicit. and assuming that you already did disabled all app pool defaults as what #Lankymart suggested.
In IIS7, click on your site, double click ASP, then expand the Limits Properties. You will then see a Script Time-out setting in HH:MM:SS format. Set that and it should fix things.
Source: http://technet.microsoft.com/en-us/library/bb632464.aspx
Have you looked at the web.config file? I am not a classic asp expert, but in asp.net you can also set session state in the file like so:
<sessionState mode="InProc" cookieless="false" timeout="60"></sessionState>
You may want to verify 2 things.
1.) That you app pool is not recycling too often.
2.) What I mentioned above.
When user login i am storing user_id in Session variable and on second page i am checking on page load if user_id exists then fine, otherwise redirect to sign in page but when i login and and redirected to next page after few seconds when i refresh page my session is null there and i am redirected to sign in page its happening in whole application i have tried all solutions but all in vain
Another thing is that application working fine on development server and also on local IIS in LAN but on live server this issue is occurring.
Kindly suggest solution, i am also defining session time out in minutes and mode in Proc in web.config.
Thanks in advance
If you are using InProc session state mode and multiple worker processes in the application pool then Session might expire automatically after few seconds as data loss can occur if different requests for the same session are served by different worker processes.
In my case, I am using InProc session state mode with Maximum Worker Process set to 4 hence session was expiring.
Setting Maximum Worker Process = 1 solved it.
You can add <httpRuntime delayNotificationTimeout=""/> in your web.config. see more
OR
Try this
<authentication mode="Forms">
<forms loginUrl="/loginurl" timeout="2880" />
</authentication>
try this in web.config
<configuration>
<system.web>
<sessionState mode="InProc" timeout="90"></sessionState>
</system.web>
</configuration>
One session issue I just ran into, which may help here, is that users from certain companies would have their sessions end fairly quickly but other users had no problem. After doing a lot of testing, I found that users connecting to the website from their office were having problems but the same user connecting from home had no problem.
Their company is setup to use a single IP (or set of IPs) for all out bound web requests. Well, this company had multiple IPs for out-site access and that IP changed (or could change) with each request. This would reset the session on my website and log them out.
I am still in the process of implementing a fix or a check for this so I can't give you a fool proof fix, but it is something to look into. This would explain what is happening to you.
Any chance you're using a cluster of servers? Network load balancing might reroute the client to a different server every time. If so, either the NLB has to be reconfigured to keep a client on a single server or set up session sharing.
Also check that the application pool doesn't have some obscene rule to recycle itself too often.
I have set session time out to 9 hours in web.config file something like this:
“<sessionState mode="InProc" timeout="540" />
But often users complain that they are facing time out in less than 9 hours of inactivity and the time interval after they are timed out also varies.
I was wondering if session time out is dependent on any of the below settings in IIS:
Session time setting
Idle- time out setting for Application pool
Recycling setting.
Please advise.
Also, how do I check session time out setting in IIS 7.0?
The session will be lost when the ApplicationPool recycles. That's one of the IIS settings that you mentioned. To set only the timeout in the web.config will not be enough. You need to adjust the setting in IIS.
Here is a link I found while I was looking into the same problem.
Also, this question was very useful: Losing Session State
If you are using Forms authentication you should make sure your FormAuthentication Cookie is set to expire at the same time as your Session.
If not make sure your IIS is not getting recycled. ( put a logger in your Global.asax to verify the application end events compared to your users complaints.)
It is not enough to set session time out in your web config. If the server on which your site is hosted is having less time out value set in IIS setting, your session is time out according to the server session time out value.
also if you are deleting any folder from the server directory, this can also cause your AppPool to recycle unexpectedly.
so please check the server session time out value and if it less then ask your hosting to increase it as per your requirement.
I'm very confused when it comes to what actually decides the session time-out.
The web app needs to allow for a 20 minute "idle time" before logging (or throwing) users out. I've tried different setting on both sessionState and Recycle worker processes in IIS. The time-out remains too short and, as far as my quit-n-dirty, primitive tests have shown, a bit random.
I read somewhere that the default time-out is 20 minutes, but in my app it appears to be closer to five. Are there any easy ways to change this? The app is running .NET 3.5 on IIS 6.
EDIT:
I just realized that the Entity Framework might have something to do with the problem, as the user content is held as a context in the entity framework. Is there any time limit for how long an entity is held?
The user will be logged out based on your Authentication settings in the web.config.
The Session timout will be set in your session tag in the web.config.
If they are different then you will see "interesting" results.
http://msdn.microsoft.com/en-us/library/ms972429.aspx
If you look in the web.config you can write some thing like this
<configuration>
<sessionstate timeout="20" />
</configuration>
and there you can set you timeout..
Use the sessionstate timeout. You do not want to use Recycle Worker, as this will recycle all sessions associated with that worker, every N minutes. It's a good idea to set Recycle Worker to a very high value if you are using the session variable.