Click here to Skip to main content
15,868,016 members
Articles / Web Development / IIS
Article

Session State - The Basics

Rate me:
Please Sign up or sign in to vote.
0.00/5 (No votes)
11 Oct 2013CPOL3 min read 4.8K  
This is a broad topic so I’ll try to spare too many details and give you basics. DefinitionsSession Timeout: Get and sets the amount of time,

This articles was originally at wiki.asp.net but has now been given a new home on CodeProject. Editing rights for this article has been set at Bronze or above, so please go in and edit and update this article to keep it fresh and relevant.

This is a broad topic so I’ll try to spare too many details and give you basics.

Definitions

  • Session Timeout: Get and sets the amount of time, in minutes, allowed between requests before the session-state provider terminates the session.
  • Forms Authentication Timeout (Expiration): Is used to specify a limited lifetime for the forms authentication session. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie.

My experience was that I had users of an application request to set the session timeout to 60 minutes.  Simple enough I thought... I will add some code that sets the session timeout.

Session.Timeout = SomeConfigurableValue

WRONG!  Actually this was still needed but didn't fully solve the problem.  The application was using Forms Authentication.  There is also a timeout for forms authentication.  Simple enough I thought... I will add some code that sets the forms authentication ticket timeout.

Dim authTicket As New FormsAuthenticationTicket(1, crlLogin.UserName, DateTime.Now, DateTime.Now.AddMinutes(SomeConfigurableValue), isCookiePersistent, Nothing)

WRONG AGAIN!  Actually this was also needed but I was still missing a piece of the puzzle.  In IIS (specifically 7.0) there are basically two ways you can manage session state: 1) In Process or 2) Out of Process (there are different varieties of this kind). This site was setup to store session state In Process. This means that the session state is stored inside the worker process (w3wp.exe). Within IIS there is a Idle Timeout property… which by default is set to 20 minutes. Therefore if there is no activity against that site for 20 minutes the worker process will go away taking with it any sessions since the site manages session state In Process.  After understanding how this works it made sense why users were SOMETIMES saying the session timeout wasn't 60 minutes.  Let's take a look at a couple of scenarios.

#1 Session State Active for 60 Minutes
User ABC logs on at 2:00 PM, performs some action, and doesn’t attempt to do anything else until 2:50 PM. User XYZ logs on at 2:10 PM and performs some action. Then user XYZ performs other actions at 2:25 PM and 2:40 PM. When user ABC tries to review a users account 2:50 PM there session will still be intact.

#2 Session State Not Active for 60 Minutes
User ABC logs on at 2:00 PM, performs some action, and doesn’t attempt to do anything else until 2:50 PM. User XYZ logs on at 2:10 PM, performs some action, and doesn’t attempt to do anything until 2:45 PM. When both users try to perform their second action they will be required to log back in. This is because IIS recycled the worker process on the server because the worker process was idle for 20 minutes.

There are ways to overcome this however the answer isn't trivial.  If you just bump the Idle Timeout property this may have implications on your environment.  There also the option of store the session state out of process and this is up to you to decide how to want to manage this.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
United States United States
The ASP.NET Wiki was started by Scott Hanselman in February of 2008. The idea is that folks spend a lot of time trolling the blogs, googlinglive-searching for answers to common "How To" questions. There's piles of fantastic community-created and MSFT-created content out there, but if it's not found by a search engine and the right combination of keywords, it's often lost.

The ASP.NET Wiki articles moved to CodeProject in October 2013 and will live on, loved, protected and updated by the community.
This is a Collaborative Group

755 members

Comments and Discussions

 
-- There are no messages in this forum --