Setting my forms authentication timeout and sessionState timeout from my config never seem to have the desired effect. I always have to set the sessionstate timeout on the website on the server and it also seems like I need to set the application pool idle timeout as well.
What is the point of the config setting if the server can just override it?
What are the priority of the settings, strictly in terms of authentication and the time to keep a user logged in? I have not done extensive testing on this but it feels like if any of the 4 settings are out of sync, the users don't get timed out predictably.
The main thing is that they aren't related at all.
Forms authentication timeout won't have anything to do with session timeout. Forms authentication timeouts may or may not slide and only store the authentication cookie. Even if they are set to slide a user still has to interact with the server after the halfway point in the timeout for it to slide, else it doesn't.
Session timeout is just there to store data for X amount of time if needed and the timeout will slide.
The application pool is there to keep everything running smoothly. Application pools need to recycle every so often and that can be disruptive, but it's the health of the app and the server they are worried in. Of course, if you aren't using a state server or storing session in database the session can end up killed off as well.
Couple things that help in this scenario:
Use session wisely as it's a pig for resources, and always have a means to check for nulls and recreate the needed objects/values if it is null.
Create a machinekey for your app. This will make sure the way that the app encrypts data doesn't change with each app recycle. If a recycle occurs it could have an effect on logged in users because the encryption of the ticket may not match. A nice side effect of creating an explicit machinekey can also help you use a webgarden if you want, but only if you a state server or store session in db since in memory session can't be shared among processes.
So they aren't inter-related but can effect each other. There is also no way in hell I would want an application to have it's own settings that would over-ride an app pool setting since a well set app pool keeps the site and server healthy and running well and that's the main reason it trumps all.
Related
I have the following use scenario: User logs in to ASP.NET application; and at some point makes a connection to remote TCP/IP server. The server's response may come after significant delay (say, a few hours). Imagine that the user submits a batch job, and the job may be running for a long time. So, the user may close the browser, get some coffee and come back to see the results later.
However, if client closes the connection, the server will never return the results. So, keeping Socket info in Application object won't work - once user closes the browser, it goes away.
Is there any other way to persist this open socket while IIS is up? Also, if the second user logs in, I would prefer to use the same connection. Finally, I realize that the solution is brittle, and it may occasionally break. It's OK.
Remote server is 20-year old mainframe application; so no chance for changes there. And as long as the user doesn't log out - everything is working fine now. Everything is on the LAN, so there are no routing issues to complicate the situation.
The contents of the application dictionary are not lost when a user logs out. Your scheme will work (in a brittle way, but you say that's ok).
Note, that worker processes can exit for many reasons, so expect to be killed at arbitrary points in time.
you have several options for persisting session-state: MSDN - Session-State Modes
inproc mode: you disconnect, state is lost. if you use cookies, and
store info/data somewhere on the backend, then you can map the GUID
to the data, regardless of session. or use application-state.
stateserver: persisted across disconnects and application restarts,
but not across iis/pool/server restarts, unless you use another
server, or cookie/auth. can be problematic sometimes.
sqlserver: as the name implies, uses a specially formatted db/table structure to persist state data across all sorts of scenarios.
custom/off: allows you to build your own provider, or turns it off completely.
here's the cookie method, by far the simplest (you have to generate a GUID, then store it in the cookie and application state or a backend DB): MSDN - Maintaining Session State with Cookies
you can persist cookies on the user's client. then, on server
reboot/client disconnect/any other scenario just pull the GUID from
app/session state or from a backend DB, which will also store the data
for the reports/output.
also, as a caution: even though cookies can be used to auth a user to an account/db record via GUID, it is considered insecure for all other purposes except unindentifiable information, such as: view shopping cart, simple reports, status, etc...
oh, and the stuff on IIS session timeouts (20 mins by default): MSDN - Configure Session Time-out (IIS 7) and MSDN - Configure Idle Time-out Settings for an Application Pool (IIS 7)
completely forgot to add the links on: ASP.NET Application State Overview, ASP.NET Session State Overview, but storing large amounts of data on a busy server in application state is not recommended. oh yea, and MSDN - Caching Application Data
Site hosted via IIS 7.0
I would like to set my session time-out to 9 hours in my ASP.NET application.
This has been set at web.config
<sessionState timeout="540"></sessionState>
But, as I understand, if the timeout is set as 20 minutes inside the IIS where the website is hosted, setting an extended session state will be of no use.
Firstly, I would like to confirm whether this assumption is right.
The problem is that I do not have access to the IIS of my shared hosted web server.
Now, after some research, I came up with another solution in code project. This sounds like a wonderful idea. The idea is to insert an iframe to master page. The iframe will contain another page with meta refresh less than 20 minutes.
Response.AddHeader("Refresh", "20");
This idea seemed good for me. But the article is 7 years old. Plus at comments section a user complaints that this won't work if the page is minimized and I am worried that the same happens when my pages tab is not active.
I would like to know these things
Whether the refresh method will work for my scenario , even if the page is minimized?
Are there any other methods that could increase session time out that overrides IIS timeout setting?
Also I read some questions in Stack Overflow where the answers state that the IIS session timeout is for clasic ASP pages. Then why is not my extended timeout not firing?
Firstly, I would like to confirm whether this assumption is right.
Yes, this assumption is absolutely right in case you are using in-memory session state mode. In this case the session is stored in memory and since IIS could tear down the AppDomain under different circumstances (period of inactivity, CPU/memory tresholds are reached, ...) the session data will be lost. You could use an out-of-process session state mode. Either StateServer or SQLServer. In the first case the session is stored in the memory of a special dedicated machine running the aspstate Windows service and in the second case it is a dedicated SQL Server. The SQL Server is the most robust but obviously the slowest.
1) Whether the refresh method will work for my scenario , even if the page is minimized?
The hidden iframe still works to maintain the session alive but as I said previously there might be some conditions when IIS unloads the application anyway (CPU/memory tresholds are reached => you could configure this in IIS as well).
2) Are there any other methods that could increase session time out that overrides IIS timeout setting?
The previous method doesn't increase the session timeout. It simply maintains the session alive by sending HTTP requests to the server at regular intervals to prevent IIS from bringing the AppDomain down.
3) Also I read some questions in Stack Overflow where the answers state
that the IIS session timeout is for clasic ASP pages. Then why is not
my extended timeout not firing?
There is no such thing as IIS session timeout. The session is an ASP.NET artifact. IIS is a web server that doesn't know anything about sessions.
Personally I don't use sessions in my applications. I simply disable them:
<sessionState mode="Off"></sessionState>
and use standard HTTP artifacts such as cookies, query string parameters, ... to maintain state. I prefer to persist information in my backend and retrieving it later using unique ids instead of relying on sessions.
Hey I have the following line in my web.config
<sessionState mode="InProc" timeout="45"/>
Which I thought would keep sessions intact for 45 mins
But I have seen the case where if a user is inactive for lets say 15 mins the sessions times out.
How can I stop this ?
Edit : Just noticed I have the following line in the master page
meta http-equiv="Refresh" content="1800;URL=http://www.virtualacademy.ie/login.aspx">
Maybe this is causing the issue, what is the above line doing i.e the number 1800
Be sure to check your IIS configuration because the application pool that your site is hosted on also has its own timeout value which will override your own .config.
To increase it,
Open IIS
Select Application Pools on the left side
Select the Application Pool used by your site
Choose advanced settings
Under Process Model categtory increase the 'Idle Time-out' value to the desired length.
Hope this helps.
(If you do not have a dedicated server / access to IIS with your hosting provider you will have to contact them to see if they can increase it for you)
If the user closes their browser or clears cookies, or if the AppDomain on the server is recycled, the session state will be lost.
Have you checked logs to see if the app is recycling?
AppDomain recycles are a very common problem for this if the sessionState is InProc. It is very much advised to use a StateServer or SQLServer for production systems instead. See Session-State Modes for documentation on how to use each, and the pros and cons of the three different types.
Personally, we use SQL Server if we must for web server farms--slower but can be shared. We use State Server if the site will only be hosted on a single web server--state survives AppDomain restarts, but not entire server restarts.
Also, in the past we have used an AJAX post in the background while the user is watching long running videos or performing long client-side tasks, so that the session timeout gets reset every few minutes. Nothing special about this code--just have a little JavaScript hit every few minutes some ASPX page that returns nothing.
Are you using Forms Authentication? It has its own timeout setting that when expires will redirect the user to your login page even if their session is still valid.
I need to understand something about ASP.NET session state, as it applies to IIS 7 and ASP.net 3.5.
If an application is configured to use in-process session state, will that work OK if there are multiple worker processes? In other words, do worker processes share session state?
The default configuration for IIS 7 is to use in-process session state and to allocate a maximum of 10 worker processes. It would seem likely then, that this default configuration should work. I'm dealing with a company that has produced an ASP.NET MVC web app that is having some problems, they're blaming the server environment. The claim is that because I'm using the default settings of 10 worker processes, that is breaking their session state. I need to know whether this is in fact an accurate claim. I've never known an ASP.NET app to not work with the default configuration, so I'm a bit confused and need to have this clarified.
Having multiple worker processes and using InProc does not seem to be compatible.
See this:
If you enable Web-garden mode by setting the webGarden attribute to true in the processModel element of the application's Web.config file, do not use InProc session state mode. If you do, data loss can occur if different requests for the same session are served by different worker processes.
More than one worker process is a "web garden." In-process session state will not work correctly. You'll need to use either a single worker process for your web app, or use a session state server, or SQL Server for session state.
I may be wrong, but as far as I know, by default you only have 1 worker process per application domain with multiple worker threads to handle requests. In this case In-Proc Session State should work just fine (the default settings).
But if you do have multiple worker processes (not just worker threads, actual worker processes) you do need out of process session state.
I think having more than 1 worker process in ASP.NET is referred to web garden mode which you have to specifically enable and if you do, then you need out of process state management. See the comment box on this page under the In-Process Mode heading.
I experienced session lost problem and finally struggled to find the root cause.
Recently I received several bug reprot about the session lost. If the website load is low, everything is OK. If the website load is high, the session lost issue happens. This is very weird.
The root cause is between Worker process setting and Session state. Here we have 5 worker processes, which means it will have 5 independent processes running when the website load is high. While the session is stored in process, IIS cannot guarantee that a client user will use the same worker process.
For example, the user client uses Process A when first visiting the web, and when he second visit the web, it may use Process B. There is no session stored in Process B, so his session is lost.
Why it is OK when the website load is low? Because IIS will only setup one worker process when the load is low. So the session lost issue will not happen. This explains why it is OK when I deploy a new version and test it OK at night, but the error happens again tomorrow morning. Because the website load is low at night.
Be careful to use session state in Process, it is unstable when your website load will be high and considering with mutiple worker processes. Try something like State Serversession state.
In the web.config file for my application, in the <sessionState>
section I have set timeout="60" (in minutes), but session state
variables in my application seem to be expiring in about 1 minutes.
Any idea what could cause this?
Yes.
Session timeouts are also specified and controlled by IIS (although there is overlap ofcourse). In IIS 6.0 you also need to check the following places in IIS manager (properties of Virtual directory):
ASP.net tab > Edit configuration > Authentication tab > Cookie timeout
ASP.net tab > Edit configuration > State management tab > Session timeout
Setting all these to the same value, fixed the issue for me.
edit: Apparently the previously listed first option, had nothing to do with it. That means, that the first of the two options is now the place for you to fix your session timeout. It's probably not your session timing out, but the authentication expiring.
Or another possibility is that the worker process is restarted, or the application is restarted. Also things to look into.
If you are storing session state "in proc" then every time the app pool recycles you can loose session (this can happen a lot on a server with low memory). You could try storing session state "out of proc" using State Server or SQL Server.
See PRB: Session Data Is Lost When You Use ASP.NET InProc Session State Mode