views:

2277

answers:

2

I'm trying to increase the timeout on all sessions. The site is hosted with Godaddy, and it is written in Flash (client side of course) and asp.net on the backend. I've added this to my web.config,

<sessionState timeout="720">

</sessionState>

Is that really all that I need to do? I'd prefer to not let sessions expire ever, but I'm sure that the server needs to reclaim that memory at some point...I'm not storing anything in the session, really, just using it to track users' progress through the site, and if a user is logged in or not.

Thanks for any pointers...all the documentation seems deceptively simple, and it kind of makes me nervous...

+2  A: 

Yup! As in; Yes, that's the only thing you need to do...

To get "never ending timeouts" you'd have to create a background HTTP request (which will transmit the session cookie) back to the server every 719 minute though. Though theoretically then you'd also have to have "Out of Process" sessions using e.g. some sort of database or something...

Or you could roll your own session handler, I think APS.NET have support for this through using some sort of adapter pattern or something, but I am not sure. Then you could have a "truly" never ending session...

Thomas Hansen
Thanks! Confirmation from a "live" person increased my security level 100 times.
Matt Dawdy
No problem Matt :)
Thomas Hansen
+1  A: 

If you are using Forms Authentication you will also need to set the Forms Authentication Timeout in your web.config

Example:

<authentication mode="Forms">
  <forms
    name=".ASPXAUTH"
    loginUrl="/Home/Default.aspx"
    defaultUrl="/Dashboard/Default.aspx"
    protection="All"
    timeout="30"
    slidingExpiration="true"
  />
</authentication>
Steven Quick