how can set Session time out settings in web config file - asp.net

I want to set session time out in asp.net web config file.I Google it for the best method.then I get multiple results.I am confusing that setting session state following code.which I one choose for appropriate session time out.Can I get a description about it
code 1:
<configuration><system.web>
<compilation debug="true" targetFramework="4.5"/>
<httpRuntime targetFramework="4.5" />
<sessionState timeout="20000"></sessionState>
code 2:
<sessionState mode="InProc" cookieless="false" timeout="2000"/>
code 3:
<sessionState timeout="40" />

Session timeout can be set be defining the timeout property like this.
<sessionState timeout="20000"></sessionState>
This time is in minutes and default timeout is 20 minutes.
What is making you confuse is mode="InProc". This is the mode which defines that where session data will be stored there are different modes in which data can be saved. Please read this article for details about session state. There are different properties for session state which can be configured just like you have configured timeout property.
Session Modes
Custom
Session state is using a custom data store to store session-state information.
InProc
Session state is in process with an ASP.NET worker process.
Off
Session state is disabled.
SQLServer
Session state is using an out-of-process SQL Server database to store state information.
StateServer
Session state is using the out-of-process ASP.NET state service to store state information.

Related

In a multi web server farm, how does session state work?

CASE 1: StateServer
<system.web>
<sessionState mode="StateServer" stateConnectionString="tcpip=127.0.0.1:42626" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
...
</system.web>
CASE 2: SQL Server
<sessionState mode="SQLServer" stateConnectionString="tcpip=127.0.0.1:42626" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
Question:
1. In case 1 and 2 appropriate location of sql or state server have to be configured in web.config for each of the web server in farm.
Can we have some servers configured as state and some as sql?
Can we have some cookieless and some as withcookie
Suppose if we use only <sessionState cookieless="true" />, then by default which of the modes is used? Can this be done in a multiserver farm, or is it necessary to specify the IP?
1.) Can we have some servers configured as state and some as sql?
No, you should not. Suppose when a user makes a request, then one of the server from your Web Farm will store the session in a StateServer. now in case the same user makes another request ( by clicking some links etc...), then image what will happen if your load balancer send this request to the 2nd Web server ? There will be NO session for the same user as you configured SqlServer mode for the same and the session for the user was stored on a state server on First request.
2.) Can we have some cookieless and some as withcookie ?
Again NO, for a very similar understanding as pointed above. One of the server will use cookies to track the session and the other one Cookieless ( hence URI ) to track the same session and thus, if the request gets forwarded to different servers, NO session will be detected.
3.) Suppose if we use only <sessionState cookieless="true" />, then by default which of the modes is used? Can this be done in a multiserver farm, or is it necessary to specify the IP?
Understand that this setting: cookieless="true|false", is just used to TRACK the session for a Particular user between the Client side and server side.
The Actual session DATA is there stored on SqlServer/State Server, which is defined in your mode settings as:
<sessionState mode="StateServer|SqlServer" ... />
if you don't specify any mode setting, default value of InProc is used.
Additional Note:
The Cookie or the URI have a SessionID associated with them. SessionID is a unique string, used to TRACK individual visitor between visits to website.
As a result of cookieless="true", SessionID will be embedded in all page URLs. The drawback is that you'll end up with ugly URLs, which are not so good for SEO (search engine optimization) and visitor definitely will not remember it. Here is an example URL of website which uses ASP.NET cookieless sessions:
http://samplewebsite.com/(45f8c4zyybphaw2mt3dfgnjk4j)/Home.aspx
Bolded part represents session id, which is used to recognize a visitor.
Your question is a bit vague. If you're hosting one app across multiple servers I would recommend sticking to one method. What if one user first connects to a server with one mode, and the next request is handled by another one? The session state would not be accessible/known to the other server.
As to your questions, the documentation is really quite clear.
cookieless does not affect mode. If you don't specify mode, the default is InProc. If cookieless is true, ASP will use the query string.

Sessions and auth in asp.net

While deveoping a site (using Forms authentication and InProc sessionstate) a frequently run into a scenario where I lose the variables stored in Session (such as Session["myVar"]), but my auth-session remains valid.
This results in some wierd behavior on my site.
Why is this happening and what can I do to prevent diffrent lifecycles for my auth and my session variables?
In Asp.Net a Session and "Being logged in" are not the same thing.
Both are (usually) controlled by cookies, but the cookies are separate.
To control how long a Session is kept alive, please see answer by Jonas T.
To control how long a user remains logged in, you can use the timeOut on the <forms ... /> element:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="120" slidingExpiration="true"/>
</authentication>
...
</system.web>
To get rid of your problem you should make sure that the session timeout is at least as long as the forms authentication timeout.
If you are allowing persisted cookies in forms authentication ("Remember me"), then there are no gurantees. In that case you just have to set the session timeout to "long enough" according to some criteria/specification.
Edit: Also check the settings on your application pool (under IIS) where the site is deployed. And specifically check what the "Idle Time-out" is. If this is set low (default value is 20 minutes I think), then IIS will shut down the application pool if no request have come in during that time. That (of course) terminates whatever in-proc sessions existed.
Forms Authentication stores its ticket in Cookie at client side or URL(if cookie is disabled).
Session variables are stored at server side with expired time. If you want your variable to be more persistent use cookie.
You can extend your session time out in web config. This is for 20 minutes.
<configuration>
<system.web>
<sessionState timeout="20"></sessionState>
</system.web>
</configuration>
You said that you are working with ASP.NET Form authentication/authorization then I'd suggest you to use Profile instead of Session state.

ASP.Net MVC: Session duration?

Due to the complex business logic, I had to implement myself the authentication. I'm storing the authentication with:
FormsAuthentication.SetAuthCookie(identifier,false);
The False is to indicate that we don't want to have persistent cookie
I've to also store in session some informations(one information that the user has to enter to login, indicating for which set of data he wants to access).
I'm storing those data through model binder.
It's working fine most of the time. But sometime after an inactivity period, we are still logged but we don't have any data in session.
I would like that the duration of my session is the same than the login session, to avoid this kind of "I'm logged but I've lost some data in the session".
I don't need/want to have a persistent connection.
How should I proceed to have this system?
I believe the FormsAuthentication uses its own timeout. You can configure your web.config accordingly:
<system.web>
<authentication mode="Forms">
<forms timeout="50"/>
</authentication>
<sessionState timeout="50" />
</system.web>
In fact, There was a Session timeout by default in the IIS Application pool, so, to avoid this problem:
Go on IIS Manager
Go on the ServerName/Application Pools tab
Right click on the concerned application pool
Click on Advanced Settings,
In the section "Process Model", put an higher value in the "Idle Time-out"(this is in minutes
Click on OK
Restart the application pool
For me, this + the Yannis config(setting the same value for the form timeout+session state timeout) worked.

Asp.Net how to transfer session state to a State Server

I need to transfer session state of an Asp.Net application to a state server. Does any one have any experience about how to do it?
Thanks .
if you want to use SQL Server as session state server, put this snippet in your web.config:
<sessionState
mode="SQLServer"
sqlConnectionString="data source=server;user id=uid;password=pwd"
cookieless="false" timeout="20" />
keep in mind that in order to have the Session Serialized to a State Server you should put in the Session only serializable objects, or you will get exceptions.
We had this problem in the past and had to check everywhere in the code and make all objects stored in the session Serializable; for some classes it's easy for others is less.
you can also read this article: Using SQL Server for ASP.Net session state or any other article you find online ;-)
Edit: for the StateServer you should change the mode attribute in the web.config to the value: StateServer.
also for this there are articles and examples and discussions also in SO:
ASP.NET: Moving Session Out-of-Process with StateServer (Adventures in ASP.NET)
Scaling up the ASP.NET session state server (SO)
Step 1: In System.Web configuration section of web.config add following
<sessionState cookieless="UseCookies" timeout="1440" mode="StateServer" />
Step 2: From Control Panel => Administrative tools => Services, start the service called as "ASP.NET State Service"
thats it.

Session Time Out

We are developing a web application in Asp.net(4.0). In this application we use jquery and javascript and webservices and I frames
Here I am getting the problem with session expire. How can I solve this? I can't understand where the session is expiring.
If I'm understanding the question properly, you can adjust session timeout in your Web.config file, using something like this:
<system.web>
<sessionState mode="[Off|InProc|StateServer|SQLServer|Custom]" timeout="[numberOfMinutes]" />
...
</system.web>
Your use of JQuery, javascript, webservices, and IFrames are not affecting your session expiration issue.
The following page is an excellent resource for learning to use the Session State:
ASP.NET Session State Overview
Go to the section on that page titled Configuring Session State for information pertaining specifically to your question.
Here's your options for Session State configuration, including timeout:
<sessionState mode="SQLServer"
cookieless="true "
regenerateExpiredSessionId="true "
timeout="30"
sqlConnectionString="Data Source=MySqlServer;Integrated Security=SSPI;"
stateNetworkTimeout="30"/>

Resources