none
IIS Sessions Timing Out RRS feed

  • Question

  • Hello all. We have a peculiar and troublesome problem on one of our IIS servers running an ASP application. The Session Timeout setting in IIS is set to 240 minutes. We also explicitly set Session.Timeout = 240 minutes in our global.asa file. This works as it should with all of our applications on all of our client's servers except for one. On this particular server (Windows 2003 Standard Edition), the sessions are timing out somewhere between 30 and 60 minutes. There is no indication as to why this is happening despite the IIS setting AND the explicit setting in ASP to 240 minutes. Anyone know what could cause this or how I might fix it.

     

    Thanks,

     

     

    RJ

    Database Whiz Consulting

    Sunday, July 8, 2007 7:02 AM

Answers

  • Check the Recycling and Performance tabs in the app pool properties in IIS.  App restarts/recycles clear out sessions (if they're in proc), so what might seem like a session timeout could actually be that the app is restarting for some reason.  For instance, if the Idle timeout (on the Performance tab) is set to its default (20 min I think), that could be the source of the problem (if had no activity from your sessions within 20 minutes).

     

    The bigger question I'd have would be whether or not having such a long session timeout is a good idea.  Generally speaking, you open yourself up to session replay attacks that way.  You can check out my handling session timeouts video for some ideas on how to handle session timeouts that are better than just upping the timeout time.  Even though the app in question is ASP (and my session is for ASP.NET), you can reuse most of the concepts.

    Tuesday, July 10, 2007 4:07 PM

All replies

  • off the top of my head:

    check the recycle time of the application pool in which the app is running.

    check the machine.config file

     

    hope this helps you out

    Sunday, July 8, 2007 9:01 PM
  • Check the Recycling and Performance tabs in the app pool properties in IIS.  App restarts/recycles clear out sessions (if they're in proc), so what might seem like a session timeout could actually be that the app is restarting for some reason.  For instance, if the Idle timeout (on the Performance tab) is set to its default (20 min I think), that could be the source of the problem (if had no activity from your sessions within 20 minutes).

     

    The bigger question I'd have would be whether or not having such a long session timeout is a good idea.  Generally speaking, you open yourself up to session replay attacks that way.  You can check out my handling session timeouts video for some ideas on how to handle session timeouts that are better than just upping the timeout time.  Even though the app in question is ASP (and my session is for ASP.NET), you can reuse most of the concepts.

    Tuesday, July 10, 2007 4:07 PM