Last post Jan 20, 2014 02:25 PM by Indigo121
Jan 19, 2014 08:10 AM|Indigo121|LINK
I need to set the max session time for a user to a few hours. This in addition to the TIMEOUT value which I allready set in the "sessionState" node in the web config, which if I understood correctly sets only the IDLE timeout value. Have I understood correctly?
Is there an automated way to limit overall session time?
Jan 19, 2014 08:29 AM|PatriceSc|LINK
No, as far as I know you only have an idle timeout. If this is really needed you coud store the session start time in Session_Start and check for each request that you don't have reached the maximum session duration. Note sure what is your goal but make
sure that limiting the overall session time really fits your objective (fior example the session ends and then if the user starts again a new session, what is the benefit or will you take the past session duration to deny access etc... ?).
Jan 19, 2014 08:40 AM|Rion Williams|LINK
The SessionState timeout as Patrick mentioned is only going to apply to any idle timeouts, thus the Session itself will not expire unless a request has not been made during that period of time. I would agree with Patrick and say that the easiest way of handling
this would most likely revolve around storing a value in the Session and checking it within each Request that is made.
Could you elaborate a bit more on what you are trying to accomplish? There may be a better way to handle this through something like a Cookie or other form of timeout (such as using Forms Authentication).
Jan 20, 2014 03:59 AM|Indigo121|LINK
Thanks for your replies. I am required to setup a "Session Timeout" of 8 hours for activity under a session. This supposedly to prevent someone using a script to run indefinitely on the site. This is the requirement. I imagine checking it by myself on each
request should do the trick. I certainly don't want to use some constantly running script to do it.
Jan 20, 2014 08:18 AM|Rion Williams|LINK
If that is the case, you might want to just consider storing a Session variable when your Session is initially created and then check it when a request occurs (create a timestamp when the Session is initialized in the Session_Start method and compare
it when a Request occurs).
I would also highly recommend setting all of the available timeouts to 8-hours as well (ie Forms Authentication timeouts, Session State and your IdleTimeout Setting in IIS)
as seen below :
Setting the Forms Authentication Timeout within your web.config
You can adjust the specific timeout property of your Forms Authentication in your application by adjusting the timeout property within the <authentication> element of your web.config file. You will also want to be mindful that if you are using the slidingExpiration
property in conjunction with timeouts as they can actually expire much earlier than the timeout listed (when half of the duration is elapsed)
<authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="120"></forms> </authentication>
So if you wanted to extend the amount that the authentication token stays "alive" for to 480 minutes (8 hours), you would set it as seen below :
<authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="~/Login.aspx" timeout="480"></forms> </authentication>
Setting the SessionState Timeout within your web.config
You can update the timeout property of your Session State within your web.config file in the <sessionState> element as shown below :
<configuration> <system.web> <!-- Adjust the timeout property below --> <sessionState mode="InProc" timeout="480"/></sessionState> </system.web> </configuration>
Setting the Application IdleTimeout property within IIS
You may need to check what your timeout is configured for within IIS, as this timeout will override the timeouts defined in your web.config.
Within IIS there is a setting called Idle Timeout, which defaults at 20 minutes.
Scott Hanselman also addresses strange issues that can occur when dealing with timeouts when using Forms Authentication in this blog post as
Jan 20, 2014 02:25 PM|Indigo121|LINK
Thanks a lot for the detailed explanation. i thought the "timeout" attribute in
sessionState was for idle time? I do need idle time set to a different value, in addition to the "max out" time.