13

For my web site I configured login session timeout for 1 week in web.config file

<system.web>
  <httpRuntime />

  <!-- Session keeps for 7 days -->
    <sessionState timeout="10080"></sessionState>
    <authentication mode="Forms">
      <forms loginUrl="~/" timeout="10080" slidingExpiration="true"/>
    </authentication>
  <!-- Configuration end  -->
</system.web>

Here is code for login

    [AllowAnonymous]
    [HttpPost]
    public ActionResult Login(string Login, string Password)
    {
        // empty passwords are not allowed
        if (Password == "")
            return Redirect(Request.UrlReferrer.ToString());

        bool LoginResult = WebSecurity.Login(Login, Password, true);
        return Redirect(Request.UrlReferrer.ToString());
    }

I login, close browser and open it again go to my web site -> user is logged in. I close browser, wait some time (about 30 minutes) go to my web site -> user is logged off. Why? Session should be stored for 7 days but we does not have even 30 minutes. Whan can be the source of problem?

Edit 1 The main idea is that I want to go back to the site in several days and still open it with logged in user

Improve this question
4
  • Are you really sure you want to keep data in memory for 7 days after the last visit? Commented Apr 2, 2014 at 11:37
  • Yes, it is internal web site which has 3 users only and I'm tired to enter credentials every time Commented Apr 2, 2014 at 12:08
  • We have the same issue when we moved from mvc3 to 4. Commented Jun 10, 2014 at 18:13
  • @Vitalii could you please let me know what configuration do we need to change. I'm on the same page. Commented Jun 21, 2019 at 9:17

4 Answers 4

Reset to default
12

Possibly, your IIS would have been configured to 20 minutes of TimeOut.

Change the IIS session timeout to 1 week 24 hours, which I hope will solve your problem.

Refer this

By design, the maximum value of timeout is set to be 24 hours. Check out Microsoft support forum

To achieve a larger window for timeout, you could consider maintaining session states in SQL, as suggested by @Marc.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I found this value but another problem appeared. I cannot set more than 23:59 hours there. And I need at least several.
4

Try moving your session state into Sql (link here). This should persist an IIS restart/app pool recycle etc.

Improve this answer

Comments

3

Website Session.Timeout will work only when it is less than the application pool session timeout value; because whenever the application pool session timeout value is reached, that particular application pool will be restarted.

http://www.codeproject.com/Articles/113287/Why-Session-Timeout-is-not-working-for-your-websit

Improve this answer

Comments

1

When the application is idle (no requests for some time), IIS may shut it down. This will destroy all Sessions.

Authentication stores it's data in a database and thus survives a restart.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.