ansaurus

Question

C#.NET How to set session time out to 6 hours with forms authentication?

Answer 1

+2 A:

There are some other timeout values that will affect session time out. One of them that comes to my mind is Worker Process Timeout(that is set from IIS). Worker Process's default time out is 20 mins, so if there is no activity in your site for 20 mins the worker process will end and causing your session to end if you are using session in InProc mode. So getting Worker Process's timeout value to 360 minutes is what you may need as well.

Numenor 2010-01-07 09:40:45

Answer 2

+1 A:

Instead of setting a session timeout, you could implement a mechanism to keep the session alive, eg: refresh the page or make an ajax call etc.

You could add to this by implementing a maximum login time, that can be checked etc

Mark Redman 2010-01-07 09:41:10

this will cause session never to timeout and will keep server busy unnecessarily.

Numenor 2010-01-07 09:44:16

It will keep session as long as an explorer window is opened, it's safer than setting a 6 hours long session timeout, because this means that if someone closes the page and opens a new session the former will remain opened until timeout wasting unnecessary resources.

jmservera 2010-01-07 09:52:13

Answer 3

+2 A:

try this setting:

<authentication mode="Forms"> <forms timeout="360" slidingExpiration="true"/> </authentication>

couple things to check also:

if your FormsAuthenticationTicket is created with a lower cookie timeout value, that could override
if the application pool "shutdown worker processes" interval is lower, that would reset the state earlier

jspcal 2010-01-07 09:42:58

I am not using/setting FormsAuthenticationTicket. I only use thise line: FormsAuthentication.SetAuthCookie(userId.ToString(), false); Is it possible to set the FormsAuthenticationTicket cookie timeout in this situation?I use IIS on win XP. So I can't set "shutdown worker processes", correct?

Martijn 2010-01-07 09:47:55

w/no tkt, try the forms timeout val

jspcal 2010-01-07 09:55:33

Sorry, but what does w/no tkt mean?

Martijn 2010-01-07 10:04:46

Also, you recommend to set slidingExpiration to true, but Filburt recommend to set slidingExpiration to false.

Martijn 2010-01-07 10:08:26

Answer 4

+1 A:

You need to adjust timeout and slidingExpiration:

<authentication mode="Forms">
    <forms requireSSL="false"
        defaultUrl="Default.aspx"
        loginUrl="Login.aspx"
        path="/"
        slidingExpiration="false"
        timeout="360"
        name=".ASPXFORMSAUTH">
    </forms>
</authentication>

Filburt 2010-01-07 10:00:28

You recommend me to set slidingExpiration to false, but jspcal recommend me to set the property to true...

Martijn 2010-01-07 10:09:36

If you set slidingExpiration to **true** you cannot enforce terminating the session after 6 hours because the session time window will renew to the specified timeout with every page request.

Filburt 2010-01-07 10:35:42

Answer 5

A:

Are you using InProc Sessions? (That's the default on ASP.net AFAIK) In that case, check if your Application Pool recycles, as this will kill all sessions. I don't have an IIS to check, but I believe it's configured to shut down an Application Pool if it's idle for a given time - if this is your development Server, maybe you've been idle for too long so that the AppPool recycles and your InProc Sessions are killed?

I'm not sure how easy it is to quickly implement stateserver or sqlserver instead of inproc, but here is the MSDN Page about Session State.

Michael Stum 2010-01-07 10:08:23

ansaurus

tags:

views:

answers:

C#.NET How to set session time out to 6 hours with forms authentication?

related questions