Where to set session timeout?

Question

The application sets session.timeout in Application_AcquireRequestState event handler.

Before session expires, there is notification window popping up. It resets session timeout to, say, 3 minutes (normally, it is 30 minutes), through Application_AcquireRequestState.

The notification offers user an option to extend session for another 30 minutes. If user clicks yes, it will reset session timeout for 30 minutes through the previous event handler.

The problem is, though user clicks yes, and session timeout is set correctly, session seems timeout before the set time. This only happens after notification.

The suspicion is when it hits Application_AcquireRequestState, the timeout is already calculated for this request. The new timeout value will be used for next request. So when user clicks yes to extend session, the timeout for current request is not 30 minutes away, it is only 3 minutes away, due to timeout set by the notification window. The yes will only be in effect if user sends another request.

(Notification window has its own timing object)

Can anyone verify this? or point me to a good resource to explain how asp.net manages this?

Thanks!

Answer 1

I use a much simpler mechanism. I don't have the popup extend the session at all. I use a session with a sliding window and when the user clicks the "OK" button in the session expiration notification, it makes an AJAX request back to the server updating the sliding window.

Answer 2

Session.Timeout is a global setting within the application.

If you're setting the users Timeout to 3 minutes when you pop the window notifying the user that they are about to be logged out, and they don't respond, your Session.Timeout will stay at three minutes until another user resets it - is it possible that this is happening?

Answer 3

Zhaph, the problem is when user clicked "Yes" to extend the session, then walk away.

I think I finally nailed down the problem.

It was as I suspected, but only in "SQLServer" mode. When request comes into Application_AcquireRequestState, the session is already extended (can be verified in ASPState database, ASPStateTempSessions table). If user clicked "Yes", though the new time out value is set, it won't be in effect until next server request. If user walked away without another click, session timed out with the previously set timeout value, which is 3 minutes.

In "InProc" or "StateServer" mode, the session objects are managed by cache, whose expiration can be reset only further in the future but not shrink back to more current time (or it will be ignored).