In IIS 6 (and other versions too afaik), there is a Session Timeout setting in Properties -> Home Directory Tab -> Configuration button -> Options tab. Looks like this:
And in the ASP.NET web.config there is a SessionState setting, looks like this:
<system.web>
<sessionState timeout="120" />
<!-- etc .. -->
</system.web>
Are they, by any chance, related? Do they set the same thing, or different things?
They are not the same. The IIS session timeout is for clasic ASP pages. The web.config one is for asp.net.
The IIS setting has no effect on ASP.NET sessions as far as I'm aware - these must be set in the web.config.
You should also consider Application Pool Idle Timeout. The settings for the application pool can be found by clicking Properties (IIS 6) or Advanced Settings (IIS 7.5) on the application pool that the application is assigned to.
Ensure this value is set to the timeout of your session, at a minimum, to ensure that all sessions persist for the entire session timeout period.
The reason that these two values are dependent on one another is because the session information is actually stored within the worker process of the application pool. That is to say, if the worker process is shutdown or killed for any reason, the session information will be lost.
Related
I am trying to make the session timeout in my application configurable.
When I put the following code in my web.config file it works fine:
<sessionState cookieless="true" timeout="1" />
That is, I can see my session times out after 1 minute. However, this code has the side effect of putting the session id in the url which is not desirable.
On the other hand, if I use the following code in my web.config, the session does not timeout for at least 1 hour or longer:
<sessionState cookieless="false" timeout="1" />
To determine that the session is in fact timing out, I am using the following code in my _Layout.cshtml:
#if (Session[MvcApplication._Ssn_UserName] == null)
{
Response.Redirect("~/Login/Index");
}
When the timeout is working, I see the user redirected to my Login page anytime they navigate to a different page or just hit the refresh button in the browser.
I see the same behavior when running from Visual Studio (IIS Express) or when running on IIS.
I've done a lot of searching online, and haven't discovered any correlation between the cookieless setting and the timeout behavior. Any ideas would be appreciated.
Try to use the iis session state setting as suggested below:
1)open iis and select your site.
2)select the session state feature
3)set the mode and cookie setting as per your choice:
session timeout value should not be set higher than 20 minutes (except in special cases) because every open session is holding onto memory. It should also not be set lower than 4 minutes because clients rarely respond within that time resulting in a loss of session state.so try to set like 5 minutes or more.
make sure there is no other session time out setting which conflicts with this setting like global.asax file setting or code-behind time out setting.
try to set the iis application pool ideal time out setting the same as session Tim out setting.
go to the Application Pool of the website --> go to advanced settings --> Process Model --> and change Idle Time-out
Mine is a Windows authenticated asp.net solution (framework v4.0). Implemented a 20 minutes session timeout, with Inproc mode and is mentioned in the web config file.
<authentication mode="Windows" />
<sessionState mode="InProc" timeout="20" />
The application is running as a separate app pool and the idle time-out value is set to 20 minutes.
The application is hosted in IIS 7.5.
But, the application timeouts randomly from 5 to 7 minutes, sometimes even within a minute.
According to the Eventviewer only 20 minutes timeout events are logged.
Any suggestion on what I'm missing ?
Note: My application runs in a separate pool.
Update
Another thing that i noticed today in the server where application is hosted is, in the IIS coulnd't find the Session State icon. Also when i checked the Services window found that the ASP.NET State Service's startup type is Disabled. Should these two things be present in the server for an ASP.Net application to to track Session whose session mode is set to "InProc".
When I update an ASP.NET Website [note: it's not a Web Application] running on a customer server by overwriting it with the latest version it currently kicks all the users off.
I'd prefer to be able to deliver a new version of a site without kicking off users - is there a way to minimise the chance that users will get kicked off? [apart from the obvious one of waiting for a time of low-usage]
If I moved from InProc to Session State I guess this might do the trick - but is there any other method?
Chaning away from InProc Session State should help.
The problem now is that any time your app is reset in IIS (overwriting the web.config will cause a restart), the IIS Worker process restarts and clears your session info.
Check out this MSDN Page to read the limitations of In-Process Session State:
Session State - MSDN
I think additionally to what you are suggesting, it will be appropriate to display an "update in progress..." page instead of kicking off users. You can do that by changing your web.config file.
Session IDs are valid for the lifetime of the application pool, or until (I believe) 20 minutes following the last page request from the client in question. This is configurable in web.config:
<configuration>
<system.web>
<sessionState
cookieless="false"
timeout="20"
</sessionState>
</system.web>
</configuration>
If the application pool is recycled, files within the application are updated, etc, your session IDs will be invalidated. For this reason it is considered wise to deploy your site during off-peak hours.
Design your application to not rely on the existence of session state variables. Use cookies for authentication (or integrated auth) and check for session variables as you use them; reload them if they don't exist.
Authentication cookies seem to timeout after a short period of time (a day or so). I am using Forms Authentication and have the timeout="10080" with slidingExpiration="false" in the web.config. With that setting, the cookie should expire roughly 7 days after the user is successfully authenticated.
This worked as advertised with IIS6, but when I moved the site to IIS7, the cookie expires much quicker. I've confirmed this behavior on multiple machines with IE and Firefox, leading me to believe it's an IIS7 setting.
Is there a hidden setting that is IIS7 specific related to authentication? All other authentication types are disabled for the website, except for anonymous user tracking.
The authentication cookie is encrypted using the machineKey value from the local web.config or the global machine.config. If no such key is explicitly set, a key will be automatically generated, but it is not persisted to disk – hence, it will change whenever the application is restarted or "recycled" due to inactivity, and a new key will be created on the next hit.
Resolving the problem is as easy as adding a <machineKey> configuration section to web.config, or possibly (preferably?) to the machine.config on the server (untested):
<system.web>
...
<machineKey
validationKey="..."
decryptionKey="..."
validation="SHA1"
decryption="AES"/>
...
</system.web>
Google generate random machinekey for sites that can generate this section for you. If your application deals with confidential information, you might want to create the keys yourself, though.
My understanding is that cookies are expired by the consuming party - the browser, which means that IIS has no say in this
Set session state configured in IIS as
In Process
Use Cookies
Time out = your required time
Use hosting identity for impersonation
Also set EnableSessionState to true (which is default too)
And most importantly run the app pool in classic mode.
Hope your problem will solve.
First of all i must say that these "guidelines" are generic and not iis-7 exclusive.
In web.config under <system.web>
you either have <sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" timeout="130" cookieless="false"/> (which requires the ASP.NET Session State Server service running on localhost)
or <sessionState mode="InProc" timeout="130" cookieless="false"/>.
The main difference is that in InProc that session state data are placed in the application process itself. In the other setting a different service is doing the storage, and you application just polls it to get the required data.
Having used both (as well as sql-server session state mode) the InProc is the least reliable but the fastest. The Sql-server is the most reliable and the slowest and the StateServer mode is somewhere in the middle being unreliable only in the case of a power/system failure. Having said that, i must say that for site with a low request count the performance penalty is negligible.
Now, my experience has shown that InProc is quite unpredictable on its stability; i used to have the same problem with you. I was able to extend the stability of the application by tweaking the settings of the application pool, i removed the problem altogether by switching to SessionState (which also allows to bring down the application and not lose session state data).
The reasons that you may suffer from application/session stability:
IIS and application pooling. Each virtul directory of a website is assigned to an application pool (by default to "DefaultAppPool") which has a series of settings amongst which you define the interval that the process is "recycled" - and as such preserve system resources. If you don't change the settings the application may trigger one of the criteria for the process recycler, which means that your application is busted
Antivirus.
In a ASP.NET application if the web.config (and any child .config files the application depends on) file is touched the application is restarted. Now there are cases where an antivirus program may touch the web.config file (say once a day?) and as such the application is restarted and session data is lost.
Bad configuration
Specifically for Forms Authentication the time-related settings and behavior always where dependent on the web-session with the auth-session being under the web-session.
What i don't know is if the Forms Authentication module depends only on Session domain or if it also places data in the application domain as well. If the second is the case then you may have to disable all recycling settings in the Application Pool as well as checking again configuration/antivirus and who stores the session data.
I recently had the same problem where my site was timing out every 20 minutes even though I set the session timeout to 2 hours. I found that it was because IIS worker process was timing out every 20 minutes: http://technet.microsoft.com/en-us/library/cc783089(WS.10).aspx
In the web.config file for my application, in the <sessionState>
section I have set timeout="60" (in minutes), but session state
variables in my application seem to be expiring in about 1 minutes.
Any idea what could cause this?
Yes.
Session timeouts are also specified and controlled by IIS (although there is overlap ofcourse). In IIS 6.0 you also need to check the following places in IIS manager (properties of Virtual directory):
ASP.net tab > Edit configuration > Authentication tab > Cookie timeout
ASP.net tab > Edit configuration > State management tab > Session timeout
Setting all these to the same value, fixed the issue for me.
edit: Apparently the previously listed first option, had nothing to do with it. That means, that the first of the two options is now the place for you to fix your session timeout. It's probably not your session timing out, but the authentication expiring.
Or another possibility is that the worker process is restarted, or the application is restarted. Also things to look into.
If you are storing session state "in proc" then every time the app pool recycles you can loose session (this can happen a lot on a server with low memory). You could try storing session state "out of proc" using State Server or SQL Server.
See PRB: Session Data Is Lost When You Use ASP.NET InProc Session State Mode