none
IIS force a session timeout RRS feed

  • Question

  • We've got an ASP.Net v1.1 application, that is being hosting on an Internet Information Server 6.0 (Win2003, SP1) on the Internet.

    One of the security requirements is that users of the application have their sessions closed, if they haven't been active inside the session during the last 5 minutes. 

    We've tried the following without success:

    1) Changed the application's 'Application configuration -> Enable session state -> Session timeout' to 5 minutes, but this doesn't force the session to be timed out, even though the session is left inactive for more than 5 minutes.

    2) Changed the application's 'ASP Application Pool Properties -> Idle timeout -> Shutdown worker processes after being idle for' to 5 minutes, but this only forces the session to be timed out, if no other sessions are active within the same 5 minutes. (I.e. it times out all the sessions if none of them were active for the last 5 minutes.)

    Any ideas on how this could be accomplished using an IIS configuration ?

    Monday, October 9, 2006 10:30 AM

All replies

  •  

    If you put the code belowe in the webform, it will redirect the page, when the idle time > session timeout

     

      protected override void OnInit(System.EventArgs e)
      {
       //code to prevent caching
       Response.Cache.SetCacheability(HttpCacheability.NoCache);

       //code to automatic redirect to the login form when session timeout
       Response.AppendHeader( "Refresh", Convert.ToString(Session.Timeout * 60 + 10) +
        "; URL=" + ResolveUrl("~/Login/login.aspx") +
        "?msg=Sessie expired. Please sign in.") ;
     


       //call bases oninit
       base.OnInit(e);
      }

    Monday, October 9, 2006 11:51 AM
  • There are two different timeouts. Since security is the driver for the session requirement I assume the authentication timeout works best for your situation. You can set the authentication timeout by editing the

    <authentication mode=”Forms”>
      <forms timeout=”300”/>

    Or by assigning the Session.TimeOut property in the global.asax Session_Start. I believe both have a 30 minute window by default.

    Monday, October 9, 2006 7:09 PM