Many of us are familiar with ASP.NET session state and various options surrounding it. Applications are either aggressive or relaxed about their session timeline and in most cases you would be inclined to change the default session timeout limit of 20 minutes. The obvious place to do this in web.config’s sessionState element as shown below:
<system.web>
…
<sessionState timeout=”40″ /> <!–timeout is in minutes–>
But unfortunately there are caveats to it. In case you are using forms authentication there is a timeout for the underlying forms authentication cookie. The default value of this timeout is 30 minutes and hence you might witness user being thrown out of the system before his session expires. Hence you want to ensure that the cookie lifetime matches the session time.
<system.web>
<authentication mode=”Forms”>
<forms loginUrl=”~/Login.aspx” timeout=”40″ /> <!–timeout is in minutes–>
</authentication>
Finally you might also want to check your Application Pool’s idle timeout. If there is sole user browsing your site (could be rare case) and user idle time exceeds the application pool idle time, you might again see an unexpected behavior. So ensure application pool idle timeout too matches your session timeout.
No comments:
Post a Comment