189

I am running an ASP.NET 2.0 application in IIS 6.0. I want session timeout to be 60 minutes rather than the default 20 minutes. I have done the following

  1. Set <sessionState timeout="60"></sessionState> in web.config.
  2. Set session timeout to 60 minutes in IIS manager/Web site properties/ASP.NET configuration settings.
  3. Set idle timeout to 60 minutes in application pool properties/performance.

I am still getting a session timeout at 20 minutes. Is there anything else I need to do?

Improve this question
2
  • 2
    Please provide information on how you measured the 20 minutes. Let's be sure that the 20 minutes is a Session timeout, and not some other kind. Commented Mar 16, 2009 at 1:54
  • 1
    Please clarify what you mean by IIS manager/Web site properties/ASP.NET configuration settings. Step by step what did you change in IIS? Commented Jan 30, 2019 at 12:13

11 Answers 11

Reset to default
305

Are you using Forms authentication?

Forms authentication uses it own value for timeout (30 min. by default). A forms authentication timeout will send the user to the login page with the session still active. This may look like the behavior your app gives when session times out making it easy to confuse one with the other.

<system.web>
    <authentication mode="Forms">
          <forms timeout="50"/>
    </authentication>

    <sessionState timeout="60"  />
</system.web>

Setting the forms timeout to something less than the session timeout can give the user a window in which to log back in without losing any session data.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

51

I don't know about web.config or IIS. But I believe that from C# code you can do it like 

Session.Timeout = 60; // 60 is number of minutes
Improve this answer

3 Comments

Will this only adjust the timeout of the current session? Or will this adjust the timeout for the whole application?
Nothing in the documentation indicates that setting Session.Timeout is any different than using web.config or IIS, so I assume it is for the whole application.
I think @Drasive has right, but it must be proved at least by 2 separated connected client to server and check Idle session timeout.
45

Use the following code block in your web.config file. Here default session time out is 80 mins.

<system.web>
 <sessionState mode="InProc" cookieless="false" timeout="80" />
</system.web>

Use the following link for Session Timeout with popup alert message.

Session Timeout Example

FYI:The above examples is done with devexpress popup control so you need to customize/replace devexpress popup control with normal popup control. If your using devexpress no need to customize

Improve this answer

2 Comments

cookieless false ?
@Kiquenet, if you set cookieless to true then your sessionId will be embedded in URL which is a high security risk. ASP.NET framework inserts a unique id to the URL, you can check this by disabling the cookie or by setting the cookieless attribute to true as you did. According to MSDN, By default, the SessionID value is stored in a non-expiring session cookie in the browser but if you specify cookieless="true" then ASP.NET maintains cookieless session state by automatically inserting a unique session ID into the page's URL.
22

In my situation, it was due to a setting in the Application Pool. The pool is set to restart when idle for x minutes. When I set it to not restart, it seems to use the value from my web.config file, instead.

Improve this answer

3 Comments

Can you say which setting in the Application Pool need to be changed?
coreblox.com/blog/2014/12/… has further details for anybody else wanting to find directions to the appropriate setting
App pool, advanced settings, process model, "Idle Time-out (minutes)" default of 20, can be set to 0 "forever"...
9

Do you have anything in machine.config that might be taking effect? Setting the session timeout in web.config should override any settings in IIS or machine.config, however, if you have a web.config file somewhere in a subfolder in your application, that setting will override the one in the root of your application.

Also, if I remember correctly, the timeout in IIS only affects .asp pages, not .aspx. Are you sure your session code in web.config is correct? It should look something like: 

<sessionState
    mode="InProc"
    stateConnectionString="tcpip=127.0.0.1:42424"
    stateNetworkTimeout="60"
    sqlConnectionString="data source=127.0.0.1;Integrated Security=SSPI"
    cookieless="false"
    timeout="60"
/>
Improve this answer

Comments

4

Since ASP.Net core 1.0 (vNext or whatever name is used for it) sessions are implemented differently. I changed the session timeout value in Startup.cs, void ConfigureServices using:

services.AddSession(options => options.IdleTimeout = TimeSpan.FromSeconds(42));

Or if you want to use the appsettings.json file, you can do something like:

// Appsettings.json
"SessionOptions": {
    "IdleTimeout": "00:30:00"
}

// Startup.cs
services.AddSession(options => options.IdleTimeout = TimeSpan.Parse(Config.GetSection("SessionOptions")["IdleTimeout"]));
Improve this answer

Comments

4

https://usefulaspandcsharp.wordpress.com/tag/session-timeout/

<authentication mode="Forms">
  <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="60" slidingExpiration="true" />
</authentication>

<sessionState mode="InProc" timeout="60" />
Improve this answer

Comments

4

The default session timeout is defined into IIS to 20 minutes

Follow the procedures below for each site hosted on the IIS 8.5 web

IIS Timeout configuration

Open the IIS 8.5 Manager.

Click the site name.

Select "Configuration Editor" under the "Management" section.

From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState".

Set the "timeout" to "00:20:00 or less”, using the lowest value possible depending upon the application. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

In the "Actions" pane, click "Apply".

Improve this answer

1 Comment

What is your quote block from? Please cite your sources.
3

You can find the setting here in IIS:

Settings

It can be found at the server level, web site level, or app level under "ASP".

I think you can set it at the web.config level here. Please confirm this for yourself.

<configuration>
   <system.web>

      <!-- Session Timeout in Minutes (Also in Global.asax) -->
       <sessionState timeout="1440"/>

   </system.web>
</configuration>
Improve this answer

1 Comment

Also in Global.asax ?
2

If you are using Authentication, I recommend adding the following in web.config file.

In my case, users are redirected to the login page upon timing out:

<authentication mode="Forms">
    <forms defaultUrl="Login.aspx" timeout="120"/>
</authentication>
Improve this answer

2 Comments

I got error at here <authentication mode="Forms"> after i place it in web.config
This answer refers to the duration of the authentication cookie's timeout and is nothing to do with session timeout.
0

The Timeout property specifies the time-out period assigned to the Session object for the application, in minutes. If the user does not refresh or request a page within the time-out period, the session ends.

IIS 6.0: The minimum allowed value is 1 minute and the maximum is 1440 minutes.

Session.Timeout = 600;
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.