How does the session timeout work in IIS 7? How does the session timeout work in IIS 7? asp.net asp.net

How does the session timeout work in IIS 7?


asp.net iis-7 timeout session-state

Session time-out is a sliding time-out that is reset for a user to the configured value each time they visit the server.

The Application Idle time-out kicks in if there have been no requests to your application for that period of time.

The usual scenarios is therefore:

Time  | User A       | User B       | Session States------+--------------+--------------+-------------------------------------------12:00 | Visits Page1 |              | A: New Session, Time-out: 20 minutes12:02 | Visits Page2 |              | A: Time-out reset: 20 minutes12:10 |              | Visits Page1 | A: Time-out: 12 min; B: New: 20 minutes12:15 |              | Visits Page2 | A: Time-out: 07 min; B: Time-out: 20 min12:22 |              |              | A: times out; B: 13 min remaining12:32 |              |              | Application Shuts Down (Idle time reached)12:35 | Visits Page3 |              | A: New Session Starts

If User A were to return to the site after 12:22 they would have a completely new session, and any values you've stored in there previously would be lost.

The only way to ensure that a session persists over application restarts is to configure either a SessionState service or SQL Session States, and ensure that you've configured the machine.key so that's it not AutoGenerated each time the server restarts.

If you're using the standard ASP.NET mechanisms for authentication, then ASP.NET will will issue two cookies to each user:

  1. Authentication Token: Controlled by the Authentication time-out setting, allows the user to be auto logged in to your site if the cookie hasn't expired, this can be fixed or sliding, and defaults to 30 minutes, which means their authentication token can cope with a longer "idle" period than their session.
  2. Session Token: Controlled by the Session Time-out setting, allows your application to store and access per-user values during the lifetime of their visit.

Both of those cookies are encrypted using the MachineKey - so if your application recycles and generates a new key neither of those tokens can be decrypted, requiring the user to log in and create a new session.

Responding to comments:

  1. The 20 minute session time-out relates to items you've placed in the users session object (HttpSessionState) using the Session.Add(string, object) method.
  2. That depends. If you've correctly configured the machine.key, authentication tokens will still be valid, and if your sessions are no longer "InProc" these will also persist through application restarts and will still be readable - see notes above.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last