I'm using asp .NET MVC app, and I've configured
<system.web><sessionState mode="InProc" timeout="90" /></system.web>
but It looks like session still valid only 20 minutes instead of 90, why?
How can I make this effective instead of the 20 (default I suppose)
I've checked te idle time in the application pool, it was 20, is that the cause of the timout? If yes, how can I override this from config file?
The configuration you are posting seems correct.
Try to check also your IIS configuration. From this TechNet link:
Open IIS Manager and navigate to the level you want to manage.
In Features View, double-click ASP.
On the ASP page, under Services, expand Session Properties.
In the Time-out field, enter a time-out value in the format hh:mm:ss. For example, enter 00:15:00 for 15 minutes.
In the Actions pane, click Apply.
If you are using Form Authentication keep in mind that it uses his own timeout that can be set as follows:
<system.web>
<authentication mode="Forms">
<forms timeout="90"/>
</authentication>
<sessionState mode="InProc" timeout="90" />
</system.web>
Because IIS restart the pool (including sessions) each x minutes with no activity, configured by the idle timeout in the settings of the pool itself, in the case if user set 90 minutes of session in the app, if there is no activity, IIS can restart the pool before this 90 minutes ends. Example:
Session is 60 minutes configures in app.config
after 30 minutes of idle, the pool recycle itself
Only one person use the app
1.00pm: user connects, he navigates during 10 minutes and then do nothing on the page (for instacne fill a very large form without submitting, and without ajax calls. At this point, user has session "open" untill 1.00am + 10 minutes + 60 minutes configured = 2.10 am
At 1.50 am, he tried to press submit button but it doesn't work because the app pool was recycling at 1.40 (1.10 + 30 min of idle) so user lost session.
If this is possible that user is anole on the app, idle time must be the same of greater than session time.
Related
User authenticates, but is becoming unauthenticated within a minute or minutes. Seems to happen at random, but is within a handful of minutes.
Is there a breakpoint I can set someplace where logout is occurring , or a method of troubleshooting why a user is being logged out?
This doesn't seem to happen on localhost when running the project using VS, but is happening on the remote host after publishing.
Set the session state in IIS or the web.config:
<system.web>
<sessionState timeout="60"/>
...
That sets the timeout to be 60 minutes. You should also lookup session state modes.
I believe I have studied all related stackoverflow questions as well as other web resources, but am still having this problem a dozen times or more daily in a 24x7 web app that is used by about 20 users at a time.
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
Users are saying that they are getting logged out earlier than the 60 minute timeout. (Some of the forms in the app take a long time to fill out. Users are interviewing people and writing notes, which can take a long time. So it's frustrating if you save the form after 20-30 minutes of slowly entering notes and it logs you out when you submit the form.)
Some details:
This is a single web server running IIS 7.5, not a form (the
database is on another box). All servers are VMs
IIS session state
is set to "In Process", and under cookie settings the timeout is 60
minutes.
The App Pool has idle timeout set to 60 minutes and
recycling interval to 29 hours
I don't see any errors in the event log prior to these "ticket expired" messages that indicate a worker
process failed or the app pool was recycled.
And finally a snippet from the web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="60" protection="All" slidingExpiration="true" />
</authentication>
Any help to track down these session timeouts would be appreciated.
I have used jquery idle timer to track the user inactivity and display a warning before session times out. Also allow the user to renew the session by making a Ajax call. Just for reference you can refer these links
link 1
link2
Due to the complex business logic, I had to implement myself the authentication. I'm storing the authentication with:
FormsAuthentication.SetAuthCookie(identifier,false);
The False is to indicate that we don't want to have persistent cookie
I've to also store in session some informations(one information that the user has to enter to login, indicating for which set of data he wants to access).
I'm storing those data through model binder.
It's working fine most of the time. But sometime after an inactivity period, we are still logged but we don't have any data in session.
I would like that the duration of my session is the same than the login session, to avoid this kind of "I'm logged but I've lost some data in the session".
I don't need/want to have a persistent connection.
How should I proceed to have this system?
I believe the FormsAuthentication uses its own timeout. You can configure your web.config accordingly:
<system.web>
<authentication mode="Forms">
<forms timeout="50"/>
</authentication>
<sessionState timeout="50" />
</system.web>
In fact, There was a Session timeout by default in the IIS Application pool, so, to avoid this problem:
Go on IIS Manager
Go on the ServerName/Application Pools tab
Right click on the concerned application pool
Click on Advanced Settings,
In the section "Process Model", put an higher value in the "Idle Time-out"(this is in minutes
Click on OK
Restart the application pool
For me, this + the Yannis config(setting the same value for the form timeout+session state timeout) worked.
I have an ASP.NET 2.0 web site hosted on Windows Server 2008 with IIS 7. I am using InProc session mode (specified in web.config). My client wants the timeout to be of 3 hours, meaning if the web site is idle, session should remain alive for 3 hours. Currently, what is happening is that if the web site is idle for 20-30 min. and if the user to tries to access any link, it redirects to login page.
I searched on internet and did all the possible settings (as follows):
In web config, session state, time out = 180 minutes.
In web config, forms authentication, time out = 180 minutes.
In IIS 7, Site->Features View->Session state - Session State Mode Setting: In Proc and Cookie Setting->Time out = 180 minutes
In IIs 7, Site->Features View->ASP->Services->Session Properties->Time out = 03:00:00 hours
In IIS 7, Application Pools->Site->Advanced Setting->Process Model->Idle Time-out = 180 minutes.
Even after doing all these settings, timeout has not increased and still if the web site is idle for 20-30 mins. and user tries to access the link, it redirects to login page.
Additional Information:
Whenever it redirects to login page after idle of 20-30 mins., and if I check the event log on server, it says something like (I am not sure whether this error is related to this particular issue or not):
"Forms authentication failed for request. Reason: The ticket supplied has expired"
How does your code issue the authentication ticket once users log in? The documentation says that the expiration attribute will overwrite whatever you set in the web.config - that might be the issue.
If the ticket is generated manually by
using the FormsAuthenticationTicket
class, the time-out can be set through
the Expiration attribute. This value
will override the timeout attribute
value specified in configuration
files.
I have user log in logic in my web app. after successful log in, i set the user id in Session, so i can keep track of the user. and in my master file page load event, i do
Session.timeout = 60
so session should timeout after an hour. but my session times out at around 10 - 20 minutes. What am i doing wrong? i bet it's obvious.
It is probably due to your IIS settings. In IIS the default timeout for a session is 20 min.
Use the IIS manager to change it.
Have you tried setting it in your web.config instead of server side code?
<configuration>
<system.web>
<sessionState
mode="InProc"
cookieless="true"
timeout="60" />
</system.web>
</configuration>
If your app is crashing and re-starting at all, your sessions will be lost.
I'd setup some Health Monitoring and setup a notification for your app re-starting. If it happen more often than your 20 minutes then something is crashing your app.