C#.NET How to set session time out to 6 hours with forms authentication?

StackOverflow https://stackoverflow.com/questions/2019345

  •  19-09-2019
  •  | 
  •  

Question

In my application I use Forms Authentication and sessions. How do I take care that the user is logged out after a period of 6 hours?

In my web.config I set the sessions time-out to 360 minutes. But after a period of 10 minutes of inactivity I have to login again.

I also set my forms authentication timeout to 360 minutes. What is it I am doing wrong?

Was it helpful?

Solution

There are some other timeout values that will affect session time out. One of them that comes to my mind is Worker Process Timeout(that is set from IIS). Worker Process's default time out is 20 mins, so if there is no activity in your site for 20 mins the worker process will end and causing your session to end if you are using session in InProc mode. So getting Worker Process's timeout value to 360 minutes is what you may need as well.

OTHER TIPS

try this setting:

<authentication mode="Forms"> <forms timeout="360" slidingExpiration="true"/> </authentication>

couple things to check also:

  • if your FormsAuthenticationTicket is created with a lower cookie timeout value, that could override

  • if the application pool "shutdown worker processes" interval is lower, that would reset the state earlier

Instead of setting a session timeout, you could implement a mechanism to keep the session alive, eg: refresh the page or make an ajax call etc.

You could add to this by implementing a maximum login time, that can be checked etc

You need to adjust timeout and slidingExpiration:

<authentication mode="Forms">
    <forms requireSSL="false"
        defaultUrl="Default.aspx"
        loginUrl="Login.aspx"
        path="/"
        slidingExpiration="false"
        timeout="360"
        name=".ASPXFORMSAUTH">
    </forms>
</authentication>

Step by Step Instructions Configure Idle Worker Process Page-Out for a Single Application Pool 1.Open IIS Manager.

2.Select Applications Pools in the Connections pane, select an application pool in the Application Pool pane, and then click Advanced Settings... in the Actions pane.

3.In the Advanced Settings dialog box, under Process Model, Optionally set the Idle Time-out value from the default 20 minutes to a different time period.

4.Click OK.

Are you using InProc Sessions? (That's the default on ASP.net AFAIK) In that case, check if your Application Pool recycles, as this will kill all sessions. I don't have an IIS to check, but I believe it's configured to shut down an Application Pool if it's idle for a given time - if this is your development Server, maybe you've been idle for too long so that the AppPool recycles and your InProc Sessions are killed?

I'm not sure how easy it is to quickly implement stateserver or sqlserver instead of inproc, but here is the MSDN Page about Session State.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top