How do I change the session timeout?

[Guest]

I tried:
<sessionState timeout="1">
</sessionState>

bounced IIS, and after 1 minute still had a session.

???

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[Guest]

I tried:
<sessionState timeout="1">
</sessionState>

bounced IIS, and after 1 minute still had a session.

???

The IIS only clears out old sessions once a minute, so the sessions will
live up to two minutes.

 

[Steven Cheng[MSFT]]

Hi Dave,

As for ASP.NET SessionState, the timeout setting does be the "timeout"
attribute of the <sessionState> element:

#sessionState Element
http://msdn2.microsoft.com/en-us/library/h6bb9cz9.aspx

As for the session timeout behavior, how did you found that the session
hasn't been timeout. When a old session has been timeout, a new one will be
started. Have you checked the sessionID to verify that a different
sessionID has been established?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Juan T. Llibre]

re:
!> Have you checked the sessionID to verify that a different
!> sessionID has been established?


Steven,

There is an issue with SessionID, Internet Explorer and Firefox which consists in that,
if all instances of IE/Firefox aren't closed before attempting to create a new session,
the SessionID will be recycled ( the same SessionID will continue to be used ).

Easy repro :

1. Create a Session start time variable in global.asax:

Sub Session_OnStart()
Session.Contents("SessionStartTime") = Now
End Sub

2. Create a test page, SessionID.aspx :
<%@ Page Language="VB" %>
<html>
<head>
</head>
<body>
<script language="VB" runat="server">
Sub Page_Load(Sender As Object, E As EventArgs)
Response.Write("Session ID : " & Session.SessionID)
Response.Write("<br />")
Response.Write(" Session start time : " & Session("SessionStartTime"))
End Sub
</script>
</body>
</html>

3. Set the session timeout in web.config to 1 minute :

<sessionState mode="InProc" cookieless="false" timeout="1" />

Now, close all instances of Internet Explorer/Firefox, except one and :

1. Run SessionID.aspx and note the Session ID and the time.

2. After 1 minute and 1 second, refresh the page.

The SessionID will be the same, but the Session start time will be different.
( The SessionID was recycled, but there is a new Session start time, so there's a new session )

3. Now, close Internet Explorer/Firefox and run the same page.

The SessionID will change.

This behavior must be taken into consideration when testing because,
if all browser windows aren't closed, the SessionID will be the same
....even though a new session exists.

I haven't tested other browsers, but suspect that, since IE
and Firefox exhibit the same behavior, the same will happen.

 

[Juan T. Llibre]

re:

The IIS only clears out old sessions once a minute, so the sessions will live up to two minutes.

Have you tested that ? That is not true.

IIS has nothing to do with session length.
Session length is determined by ASP.NET.

And, invariably, if you set the timeout to 1 minute,
at one minute and 1 second after that time, a new session will start.

See my just-sent reply to Steven Cheng and test it yourself.

 

[Juan T. Llibre]

David,

See my just-sent reply to Steven Cheng.

The SessionID is recycled if you don't close all browser instances.
i.e., even though you have the same SessionID, you'll have a new session.

Try the code I sent in my reply to Steven and test it yourself.

 

[Guest]

Hi;

Ok, I changed the timeout to 3 (minutes), restarted IIS, logged in to my app
which we use the ASP.NET membership/role provider for, waited 5 minutes, then
went to a different page and it displayed that page - I was still logged in.

If I wait 21 minutes and go to a different page it makes me log in again.

Am I not understanding something on the session timeout?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[Juan T. Llibre]

re:

Ok, I changed the timeout to 3 (minutes), restarted IIS

You don't need to restart IIS.
Editing web.config will start a new application instance and session.

re:
!> logged in to my app which we use the ASP.NET membership/role provider for,
!> waited 5 minutes, then went to a different page and it displayed that page
!> - I was still logged in.

!> If I wait 21 minutes and go to a different page it makes me log in again.

If you want your application, which uses ASP.NET membership,
to not keep you logged in for 20 minutes, change the timeout for
the forms authentication cookie.

The session duration has no bearing on the duration
of the timeout period configured for forms authentication.

Look for the "timeout" element of the forms authentication section
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="20"
etc...

/>

....and change *that* timeout to whatever you want to, in minutes.

You will see that the logged-in period changes to match the number of minutes you specify.

 

[Guest]

That fixed it. But how are the session and login seperable? It seems to me
that if I lose my session then I've lost what I am working on and so it
should log me out too.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[Juan T. Llibre]

re:

That fixed it.
Yup...

re:
how are the session and login separable?

They are two different objects.

A session will last for as long a period as you set in <sessionstate...>

A period of time for your app to remember your login parameters is different.
That's set in the forms timeout property.

ASP.NET membership doesn't need for a session to be active
in order to remember whether your membership parameters are active.

One of those parameters is the time for the app
to remember whether you're logged in or not.

You can choose to base your app on the length of the session,
or on the time needed for your login to expire.

Depending on which of the two objects you choose to control how
your application behaves, the appropiate length will be implemented.

 

[Guest]

I guess that makes sense. For our case I'd prefer that we have both or
neither but I can see wanting different times.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[=?ISO-8859-1?Q?G=F6ran_Andersson?=]

re:

Have you tested that ?

Yes, I have.

That is not true.

Yes, it is.

IIS has nothing to do with session length.
Session length is determined by ASP.NET.

And, invariably, if you set the timeout to 1 minute,
at one minute and 1 second after that time, a new session will start.

See my just-sent reply to Steven Cheng and test it yourself.

Yes, if you start a web application by requesting a page from it, you
will naturally also start the mechanism for timing out the pages at the
exact same time.

What you are demonstrating is that the timeout is occuring at one minute
intervals from the starting time of the application, not that it is
running every second.

 

[Juan T. Llibre]

re:

Yes, it is.

Jeez, you *are* argumentative aren't you ?
....even when you're -evidently- mistaken.

I supplied you with sample code which proves that what you stated is not true.
Prove that my sample code isn't valid by supplying us with code which proves you're right.

re:
!> What you are demonstrating is that the timeout is occuring at one minute
!> intervals from the starting time of the application, not that it is running every second.

You should re-read my sample code.

What I demonstrated is that the *session*, not the application, started at a certain time,
and that one minute and 1 second after the session started, if the timeout is set to 1 minute,
the timeout will occur, and will not live for up to 2 minutes, like you -mistakenly- posted.

Here's what you wrote :

"The IIS only clears out old sessions once a minute, so the sessions will live up to two minutes."

First of all, IIS has nothing to do with ASP.NET session timeouts.
IIS doesn't "clear out" anything regarding ASP.NET sessions.

Secondly, the sessions will *not* live "up to two minutes".
They will timeout on the first second after the 1st minute expires.

It would be simpler to admit that you're mistaken...on both counts.
We all make mistakes...and this time you made one.

 

[Mark Rae]

Jeez, you *are* argumentative aren't you ?
...even when you're -evidently- mistaken.

You've noticed...

It would be simpler to admit that you're mistaken...on both counts.
We all make mistakes...and this time you made one.

I normally find with him that it's simpler just to move on to the next
question...

 

[=?ISO-8859-1?Q?G=F6ran_Andersson?=]

re:

Jeez, you *are* argumentative aren't you ?

Perhaps. And you are trying to imply that you aren't?

...even when you're -evidently- mistaken.

Well, the evidence for that is still to be presented.

I supplied you with sample code which proves that what you stated is not true.
Prove that my sample code isn't valid by supplying us with code which proves you're right.

No, you haven't. The sample code is valid, but it doesn't at all prove
what you now claim that it does.

re:
!> What you are demonstrating is that the timeout is occuring at one minute
!> intervals from the starting time of the application, not that it is running every second.

You should re-read my sample code.

I have re-read your sample code, and even tried it for myself. It works
as expected, but it still has no bearing on this discussion. The only
thing that contradicts what I have said, is the conclusions that you
mistakenly have drawn from the result.

What I demonstrated is that the *session*, not the application, started at a certain time,
and that one minute and 1 second after the session started, if the timeout is set to 1 minute,
the timeout will occur, and will not live for up to 2 minutes, like you -mistakenly- posted.

When the application starts at the same time as the session, as in your
test, it doesn't prove that the timeout interval is based on the
starting time of the session rather than the application. As they are
the same, the test doesn't prove anything at all.

Here's what you wrote :

"The IIS only clears out old sessions once a minute, so the sessions will live up to two minutes."

First of all, IIS has nothing to do with ASP.NET session timeouts.
IIS doesn't "clear out" anything regarding ASP.NET sessions.

Ok, it might not IIS itself, but ASP.NET, that runs in the IIS
environment, that does that. Does it make any difference, really? Is
that what you are so upset about?

Secondly, the sessions will *not* live "up to two minutes".
They will timeout on the first second after the 1st minute expires.

It would be simpler to admit that you're mistaken...on both counts.
We all make mistakes...and this time you made one.

 

[Juan T. Llibre]

re:

When the application starts at the same time as the session, as in your test

You know diddly-sh*t, clearly.

Click on this link and see that the Application's
start time occurs earlier than the Session's start time

http://asp.net.do/test/sessionID.aspx

re:

As they are the same, the test doesn't prove anything at all.

They are *not* the same, as proven by the above link.

Now, backtrack a bit to what you wrote...and are ignoring :

!> "The IIS only clears out old sessions once a minute, so the sessions will live up to two
minutes."

Exactly, how do you prove that to be true ?

re:
!> Ok, it might not IIS itself, but ASP.NET, that runs in the IIS environment, that does that.
!> Does it make any difference, really?

It *does* make a difference because other http applications, like ASP,
will set their own timeouts, and IIS *still* won't have anything to do with that.

I agree with Mark.
You are a hopeless case when it comes to admitting your mistakes.

It's sad, considering that you think you're a bright young man, except that
your bullheadedness when it comes to admitting you're wrong about
something won't let you get to be a smart old man.

re:

Jeez, you *are* argumentative aren't you ?

Perhaps. And you are trying to imply that you aren't?

...even when you're -evidently- mistaken.

Well, the evidence for that is still to be presented.

I supplied you with sample code which proves that what you stated is not true.
Prove that my sample code isn't valid by supplying us with code which proves you're right.

No, you haven't. The sample code is valid, but it doesn't at all prove what you now claim that it
does.

re:
!> What you are demonstrating is that the timeout is occuring at one minute
!> intervals from the starting time of the application, not that it is running every second.

You should re-read my sample code.

I have re-read your sample code, and even tried it for myself. It works as expected, but it still
has no bearing on this discussion. The only thing that contradicts what I have said, is the
conclusions that you mistakenly have drawn from the result.

What I demonstrated is that the *session*, not the application, started at a certain time,
and that one minute and 1 second after the session started, if the timeout is set to 1 minute,
the timeout will occur, and will not live for up to 2 minutes, like you -mistakenly- posted.

When the application starts at the same time as the session, as in your test, it doesn't prove
that the timeout interval is based on the starting time of the session rather than the
application. As they are the same, the test doesn't prove anything at all.

Here's what you wrote :

"The IIS only clears out old sessions once a minute, so the sessions will live up to two
minutes."

First of all, IIS has nothing to do with ASP.NET session timeouts.
IIS doesn't "clear out" anything regarding ASP.NET sessions.

Ok, it might not IIS itself, but ASP.NET, that runs in the IIS environment, that does that. Does
it make any difference, really? Is that what you are so upset about?

 

[=?ISO-8859-1?Q?G=F6ran_Andersson?=]

You know diddly-sh*t, clearly.

....and that's basically where I stopped reading. If you can't keep a
civil tone in the newsgroup, then it's hardly any point in posting
anything, is there?

 

[Juan T. Llibre]

<plonk>

You should have *apologized* for wasting everybody's time here,
insisting that the cr*ppy ideas you thought were correct were, in fact, mistaken.

 

[=?ISO-8859-1?Q?G=F6ran_Andersson?=]

It's you who are wasting everyones time with these insults of yours.

If you have anything constructive to to contribute, and not only
demeaning adjectives and profanity, I will welcome it.

 

[Juan T. Llibre]

re:

If you have anything constructive to to contribute, and not only demeaning adjectives and
profanity, I will welcome it.

I tried it...until your bullheadedness continued insisting that you
were right when you were clearly wrong, wasting everybody's time.

You did the same thing in the floating point thread.

You don't understand reasoned argument, and think that you're right
....because you *think* you're right, without the need for showing any proof,
and without analyzing what others reply to you...which proves you wrong.

I have news for you : you were *not* right;
not in this thread and not in the floating point thread, where you *also* wasted everybody's time.

You have *not* shown *any* proof that what you argued regarding IIS is right.

You have *not* shown *any* proof that what you
argued regarding the time for sessions to exist is right.

Otoh, you have great capacity to continue thinking
that you're right when you've been proven to be wrong.

What you call "demeaning" is an accurate reflection of the truth.

Is that constructive enough ?