Session expiration

[Vishal]

Hello,

can anybody tell me how I can extend the session
expiry time? Is it done via code or via IIS? Sorry I am
new and dont know about this.

 

[Ken Cox [Microsoft MVP]]

In code, it is Session.Timeout

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/ref_vbom_sesoptime.asp

 

[Guest]

where do you suggest to set this at?
I've heard in the web.config file:
<sessionState mode="InProc" timeout="60">
but I can't seem to get that to work?
What about the global.asax file?
I thought that page by page is over kill?

thanx.

 

[Juan T. Llibre]

The default value is a good figure : 20 minutes.

If you don't plan for your users to stay at any one
page without browsing to other pages for that
long, you could set it at 15 or even 10 minutes.

Setting it to a higher figure will only waste resources
if your users never stay at one page for as long a time
as you set in Session.Timeout.

Remember, Session_OnEnd only executes after
the number of minutes specified in Session.Timeout
has elapsed *without* the user having requested a page.




Juan T. Llibre
ASP.NET MVP
===========

 

[MattC]

And it only executes when using InProc mode.

The default value is a good figure : 20 minutes.

If you don't plan for your users to stay at any one
page without browsing to other pages for that
long, you could set it at 15 or even 10 minutes.

Setting it to a higher figure will only waste resources
if your users never stay at one page for as long a time
as you set in Session.Timeout.

Remember, Session_OnEnd only executes after
the number of minutes specified in Session.Timeout
has elapsed *without* the user having requested a page.




Juan T. Llibre
ASP.NET MVP
===========

 

[Juan T. Llibre]

re:

And it only executes when using InProc mode.

Absolutely.

Sometimes, since 99% of developers use Inproc,
we tend to ignore the more complicated scenarios.

Thanks for pointing that out.

We also need to remember that for Session_OnEnd to fire,
the session state has to exist first, meaning that you have to
have stored some data in the session state and must have
completed at least one request for the session data.

If at least one session data item has not been stored and
requested at least once, Session_OnEnd won't fire, either.




Juan T. Llibre
ASP.NET MVP
===========

 

[Guest]

The question still is, say if you do want to chnage it from the default value
of 20 minutes, where is it best change it at?

 

[Juan T. Llibre]

That would depend on whether you want the
new value to be a globally applied value,
or whether you only want the session time
extended for users who access specific pages.

If you want the value applied globally, set it in web.config.

If you want the session to be longer only for users
who access specific pages which might take longer
to process, change it in code on those pages.

I'd only set the Session.Timeout to a longer value
in code in specific pages which take longer to process
( like long forms which the user has to fill in ).




Juan T. Llibre
ASP.NET MVP
===========

 

[Guest]

so this statement should be correct, see prevoius thread:

<sessionState mode="InProc" timeout="60">

 

[Juan T. Llibre]

Like I said before, globally setting the session timeout
to 60 minutes will cause higher resource consumption
( more ram consumption, for example ) than if you only
set the session.timeout to 60 minutes for those users
who have to stay a long time at specific pages.

Naturally, if *all* users have to go through a page which
takes an unusually long time to process, then setting the
session.timeout to a longer time makes sense, but if only
a subset of yours users need to spend that much time at
a single page ( without being able to request at least one
other page ), then setting the session.timeout to a larger
value will result in a waste of server resources.

The longer the session.timeout value,
the more resources are consumed by the server.

This becomes quite critical at servers which have a
large number of concurrent users within the time period
specified in web.config.

To give you an idea, if you have 100,000 user sessions
within one hour ( and you set session.timeout to 60 minutes )
and you store 10kb per user in the session object,
you will need 1GB RAM just to store session data.

If you store 100kb per user in the session object,
you'd need 10GB RAM, just to store session data.

If your site is a low-traffic site, then you can safely set
the session.timeout to 60 minutes, because it probably
won't matter ( unless you store 100MB per user in the
session object, heh, heh... )




Juan T. Llibre
ASP.NET MVP
===========

 

[Guest]

In this case, this is a local web application, not open to the public. Users
are 25.

Another senerio that you didn't consider is the age old issue with users in
a corporate enviroment that like to "keep" their windows open at all times,
just in case they need to do something in that app. So sometimes we set the
timeout higher because they complain when they come back after lunch,etc and
are forced to log back in.
It's like trying to make a web app as close to client server as possible.
We're getting closer, but just not there.
Thanx.

 

[Juan T. Llibre]

With only 25 users, you can set the timeout
to 600 ( 10 hours ) without problems.

That will keep everybody within the same
session during normal working hours.



Juan T. Llibre
ASP.NET MVP
===========