Develop Reference

ASP.NET Session TimeOut problem

I have a wired scenario in one of my ASP.net application.
I am using ASP.net membership with my custom "roleManager",
and having below tag in web.config to restrict any user not having role of "Keywords"(roles) to access "Keywords"(path) folder
<location path="Keywords">
<system.web>
<authorization>
<allow roles="Keywords"/>
<deny users="*" />
</authorization>
</system.web>
</location>
If any user with some other role allow to assess this URL (Keywords in this case) will be redirected to a custom- Access denied page.
Now things working fine but when I left my application with a inactivity of 30 min I am not able to visit the "Keywords", all the time I end up with the custom- Access denied page, if I close the browser, login again it start working fine.
Please help me in this case.
Thanks in advance

ASP.NET sessions time out after 20 minutes by default, I think.
You can extend this by specifying a longer time (in minutes) in the Web.config:
<system.web>
<sessionState timeout="60"/>
...
</system.web>
If you are authenticating via Forms, you should raise the authentication cookie timeout value to match.
Also bear in mind that, when running the site under IIS, you should probably extend the application pool's idle timout to something similar. If you don't do this, the HttpApplication instance for your ASP.NET site will be unloaded, destroying any active sessions in the process.

Usually, the first and easiest thing to do is just change the configuration/system.web/sessionState#timeout value to something like “90″
<sessionState timeout="90" />
it still appears to be timing out after 20 minutes.
*This doesn’t make any sense, it explicitly says that the session timeout should be exactly 90 minutes.*
There’s a couple of issues that are tied together here:
The application pool’s worker process default idle timeout is also
set to 20 minutes
The default mode of storing session state is in the IIS process
The settings for the application pool can be found by clicking Properties (IIS 6) or Advanced Settings (IIS 7.5) on the application pool that the application is assigned to.
Ensure the value of "Idle-Time-out(minutes)" is set to the timeout of your session, at a minimum (ex 90), to ensure that all sessions persist for the entire session timeout period.
try this solution if still there is a problem refer to this article it tell more option to try
http://asp-net.vexedlogic.com/2012/05/23/aspasp-net-session-timeout-how-do-i-change-it/

Auto Logout in asp.net

I have a one Application in .net ,
I want Auto Logout If data entry Operation rest For Five minute then !
application is auto logout !
will it only logout if nothing is done at screen !
I have tried Below Code But Session Is Expire even if work is on !
<authentication mode="Forms">
<forms loginUrl="../frmLogin.aspx" timeout ="1000" />
</authentication>
<sessionState mode="InProc" timeout="1" cookieless="false">
</sessionState>
Thanks
Regard
Samarth patel

You have to add this in your web.config file for Auto Logout
<system.web>
<sessionState timeout="1" />
</system.web>

You need to set your session timeout to 300seconds. And yes, it will only expire if nothing happens. Even just a request to the server resets it i think. this means that if you have a timed ajax-request in the background that is less than the session timeout, your session will never time out. (I think... :| )

Well, session is defined on the server, in general everytime a user interacts with the server, the session time is lengthened.
So first set your session to 300 seconds.
And perhaps, client side , have a timeout for 3100 ms, that will in the end navigate to the login page. If the user navigates away within the end of the timeout, it's ok, the session is being lengthened.
If he reaches the timeout (and you don't do any ajax stuff!!!), then the server session has ended.

Sessions in asp.net

i have a login page so once the user enters the correct details he enters into the home page. Now i want to implement 3 things
once he clicks the button 'log out' he must be redirected to a page saying" logged out successfully " n even if clicks the back button in the browser, he should not be able to access.
if the user leaves the homepage idle for a specific amount of time say 10minutes and then he tries to navigate after 10 mins a msg should display saying "Your Session has been expired login again"
if given the url of homepage he shouldnt be able to access unless logged in.
I am not sure about what exactly i need to do and how to do. Plz Help
Regards
Indranil Mutsuddy

1) When the user logs out of the system I would recommend doing a Session.Abandon(). If the user clicks the Back button in the browser he might see the cached version of the old page (this is entirely browser dependant), but he won't be able to do anything anyway.
Disable the caching in your pages and the user shouldn't even see the cached old version :)
A simple way to do this would be to add the following into Global.asax's Application_BeginRequest:
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
HttpContext.Current.Response.Cache.SetNoStore();
2) In your web.config set the session lifetim to 10 minutes, incremental.. That will do the trick
<system.web>
<authentication mode="Forms">
<forms defaultUrl="~/LoggedIn.aspx" loginUrl="~/Login.aspx" protection="All" path="/" slidingExpiration="true" timeout="10"/>
</authentication>
</system.web>
3) You can do this using authorization rules in web.config. If you want no anonymous users to access your website just enable access only to logged in users like this:
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
If you want to restrict access not to the whole website, but only to some areas (like the MyAccount area, then you can add this instead.. Note: Web.config can have multiple <location> elements!
<location path="MyAccountFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
There's one important note about the location tag. The Path does NOW start with a '/'! So if you want to secure the /MyAccount folder, then your tag will start like this:
<location path="MyAccount" />

You should generally use ASP.NET Forms Authentication for this.
When the Log Out button is clicked, call FormsAuthentication.SignOut. This will remove the forms-authentication ticket information from the cookie (or URL if cookieless).
For a timeout, use the timeout attribute in the system.web/authentication/forms element of your web.config. Note that your forms authentication timeout is independent of your Session timeout.

Case 1:
When clicked on the log off button clear the Session.
Clicking the back button in the browser might result in fetching the page from the cache. So by cheking Session in the page might not be effective. You can disable caching for the page so that when back button is clicked a new request to the page will be generated.
For pages not to be cached set this
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Case 2:
You can set the default timeout for Session as 10 minutes. See HttpSessionState.Timeout Property
Case 3:
Check Session for null and if found to be null then redirect to a login page.

"Request timed out." error when setting debug="false"

I have a page that takes a few minutes to run. When I set debug="false" in the <compilation /> tag in web.config, I get a "Request timed out." error (and internal try/catch blocks in my code get a "Thread was being aborted." error.
What is the fix to allow long pages to run in production mode? Does debug mode have an infinite timeout?

You should just need to increase the script timeout for page executions. It defaults to 90 seconds, so if you need more time, change it in the following system.web element (executionTimeout attribute):
<httpRuntime executionTimeout="seconds"
maxRequestLength="kbytes"
minFreeThreads="numberOfThreads"
minLocalRequestFreeThreads="numberOfThreads"
appRequestQueueLimit="numberOfRequests"
useFullyQualifiedRedirectUrl="true|false" />

You can set the max. duration for requests in web.config:
<system.web>
...
<httpRuntime executionTimeout="600" />
Where executionTimeout specifies the maximum number of seconds that a request is allowed to execute before being automatically shut down by ASP.NET. Details can be found here.

Session timeout in ASP.NET

I am running an ASP.NET 2.0 application in IIS 6.0. I want session timeout to be 60 minutes rather than the default 20 minutes. I have done the following
Set <sessionState timeout="60"></sessionState>
in web.config.
Set session timeout to 60 minutes in IIS manager/Web site properties/ASP.NET configuration settings.
Set idle timeout to 60 minutes in application pool properties/performance.
I am still getting a session timeout at 20 minutes. Is there anything else I need to do?

Are you using Forms authentication?
Forms authentication uses it own value for timeout (30 min. by default). A forms authentication timeout will send the user to the login page with the session still active. This may look like the behavior your app gives when session times out making it easy to confuse one with the other.
<system.web>
<authentication mode="Forms">
<forms timeout="50"/>
</authentication>
<sessionState timeout="60" />
</system.web>
Setting the forms timeout to something less than the session timeout can give the user a window in which to log back in without losing any session data.

I don't know about web.config or IIS.
But I believe that from C# code you can do it like
Session.Timeout = 60; // 60 is number of minutes

Use the following code block in your web.config file.
Here default session time out is 80 mins.
<system.web>
<sessionState mode="InProc" cookieless="false" timeout="80" />
</system.web>
Use the following link for Session Timeout with popup alert message.
Session Timeout Example
FYI:The above examples is done with devexpress popup control so you need to customize/replace devexpress popup control with normal popup control. If your using devexpress no need to customize

In my situation, it was Application Pool. It is set to restart when idle for xx mins. When I set it to not restart, it seems to use value from Web Config.

Do you have anything in machine.config that might be taking effect? Setting the session timeout in web.config should override any settings in IIS or machine.config, however, if you have a web.config file somewhere in a subfolder in your application, that setting will override the one in the root of your application.
Also, if I remember correctly, the timeout in IIS only affects .asp pages, not .aspx. Are you sure your session code in web.config is correct? It should look something like:
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
stateNetworkTimeout="60"
sqlConnectionString="data source=127.0.0.1;Integrated Security=SSPI"
cookieless="false"
timeout="60"
/>

That is usually all that you need to do...
Are you sure that after 20 minutes, the reason that the session is being lost is from being idle though...
There are many reasons as to why the session might be cleared. You can enable event logging for IIS and can then use the event viewer to see reasons why the session was cleared...you might find that it is for other reasons perhaps?
You can also read the documentation for event messages and the associated table of events.

https://usefulaspandcsharp.wordpress.com/tag/session-timeout/
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="60" slidingExpiration="true" />
</authentication>
<sessionState mode="InProc" timeout="60" />

If you are using Authentication, I recommend adding the following in web.config file.
In my case, users are redirected to the login page upon timing out:
<authentication mode="Forms">
<forms defaultUrl="Login.aspx" timeout="120"/>
</authentication>

Since ASP.Net core 1.0 (vNext or whatever name is used for it) sessions are implemented differently.
I changed the session timeout value in Startup.cs, void ConfigureServices using:
services.AddSession(options => options.IdleTimeout = TimeSpan.FromSeconds(42));
Or if you want to use the appsettings.json file, you can do something like:
// Appsettings.json
"SessionOptions": {
"IdleTimeout": "00:30:00"
}
// Startup.cs
services.AddSession(options => options.IdleTimeout = TimeSpan.Parse(Config.GetSection("SessionOptions")["IdleTimeout"]));

You can find the setting here in IIS:
It can be found at the server level, web site level, or app level under "ASP".
I think you can set it at the web.config level here. Please confirm this for yourself.
<configuration>
<system.web>
<!-- Session Timeout in Minutes (Also in Global.asax) -->
<sessionState timeout="1440"/>
</system.web>
</configuration>

The default session timeout is defined into IIS to 20 minutes
Follow the procedures below for each site hosted on the IIS 8.5 web
Open the IIS 8.5 Manager.
Click the site name.
Select "Configuration Editor" under the "Management" section.
From the "Section:" drop-down list at the top of the configuration
editor, locate "system.web/sessionState".
Set the "timeout" to "00:20:00 or less”, using the lowest value
possible depending upon the application. Acceptable values are 5
minutes for high-value applications, 10 minutes for medium-value
applications, and 20 minutes for low-value applications.
In the "Actions" pane, click "Apply".

IIS sessions timeout value is for classic .asp applications only, this is controlled on IIS configuration.
In your case For ASP.NET apps, only the web.config-specified timeout value applies.

if you are want session timeout for website than remove
<authentication mode="Forms">
<forms timeout="50"/>
</authentication>
tag from web.config file.

The Timeout property specifies the time-out period assigned to the Session object for the application, in minutes. If the user does not refresh or request a page within the time-out period, the session ends.
IIS 6.0: The minimum allowed value is 1 minute and the maximum is
1440 minutes.
Session.Timeout = 600;

After changing the session timeout value in IIS, Kindly restart the IIS.
To achieve this go to command prompt. Type IISRESET and press enter.