I need to give my ASP.NET website users a way to control their session timeout.
I am using FormsAuthenticationTicket and cookies.
I want to give the users a way to specify how long the session will stay active. The range can vary between a few minutes to 1 day or even more.
I'm using idleTimeout (I asked a question here).
Also, I save the value entered by the user in the database and using that value I initialize the FormsAuthenticationTicket.
I have 2 more concerns: Application Pool and cookie. My website runs under a dedicated App Pool. Do I need to change the idleTimeout property for App Pool, too? Not programmatically, of course.
Anyway, to phrase my question: what other settings need to be done in order to have the session expiration dynamically set and working no matter what time interval?
Thanks.
EDIT: I am using IIS7 on a Windows Server 2008 machine.
it is never a good idea have a session time out too long as you will keep busy some resource on the server and if your web app is accessed by lots of different user it could affect the server performance.
Anyway you can just change the session time out programmatically using the below code
Session.TimeOut= [=nMinutes]
bear in mind that session timeout should be less than Application pool idle timeout, so if you increase session timeout, you have to increase application idle timeout too. Otherwise, application will get recycled. If application is recycled, sessions will expire automatically.
The minimum allowed value is 1 minute and the maximum is 1440 minutes.
Related
I want to increase the session timing of my ASP.NET web App hosted in IIS 6.0. So, I changed the SessionState timing to 600 mins in web.config of the site. But it didn't work and my session times out like in an hour.(Session["myVariable"] == null)
<system.web>
<sessionState timeout="600" />
</system.web>
Now I tried setting the Timeout value in IIS website where this application is hosted by going to website -> Properties -> Home Directory Tab -> Configuration button -> Options tab and changin it to 600 mins, still no luck.
The question here says that this is for classic ASP Pages but not for ASP.NET web sites. which means that I am doing it wrong.
Then I checked the app pool under which this application runs (app Pool->Properties-->Performance tab). This says "Recycle Worker Process(in minutes)" as 10 mins.
I read many questions on SO but none of them gives a clear cut answer on how to increase the session timeout on ASP.NET WebApp.
I want to know the difference between these three settings and when to use which and how do we increase the session timeout of my webApp.
The timeout you set in your web.config is the session timeout.
It controls how long each 'session' of your web app needs to wait before expiration.
Let's say one user logs in to your app and does nothing for 20 minutes and then clicks a button, he will be logged out and needs to login again (assume session timeout is 20 mins). Any other users who were continuing their work won't be affected.
App pool recycling is a different thing. It's a setting which kills and restarts the worker process in IIS as instructed. So if you have it set for 10 minutes, it's like you are restarting IIS every 10 minutes. So all sessions in apps which uses that app pool will get expired unless you have sessions state saved elsewhere.
There is another setting in app pool, which is the idle timeout. It's also set in minutes and it also terminates the worker process if there are no requests for that time period. If you have only your app running in IIS, then you should increase this value as well, along with your session timeout value in web.config. Otherwise even though ASP.NET likes to keep its sessions for long, the app pool won't.
This setting is found in app pool -> advanced settings -> process model
I have the following session configuration in web.config
<sessionState mode="InProc" timeout="1440" cookieless="false">
However for some reason session is timing out. So all I want to do is if the session is expired then reload the saved session, if session serialization is possbile. Is it possible to save a Session object then reload it?
Johnny5's comment probably hit the nail on the head--your process will shut down after a period of inactivity and all InProc sessions will be lost. I don't think IISExpress under Visual Studio gives you a way to control this, so consider running under full-blown IIS during development and increase your app pool's "idle timeout" property to 1440.
But if you really are looking for a way to save a session, the Session_Start and Session_End events in Global.asax are one place to do this. HttpSessionState isn't serializable, so you'd need to either use a different serializer (as Ernesto suggested) or extract all of the session entries and put them into a different type of serializable collection. (The HttpApplication.Session property is read-only, so it'll probably be easiest to take the latter approach in any case since you can't just swap out full session instances..)
But be warned: you'll have problems with Session_End if you're using InProc--it's much too flaky for all but the most trivial uses. App pools regularly recycle themselves for any number of reasons (predefined intervals, high memory usage, inactivity, etc...) and you won't get the nice Session_End event prior to restart, so you'll lose your sessions without them being persisted.
That's why everyone tells you to use an out-of-process provider if you care the least bit about your sessions. The SQL Server and StateServer modes that ship with ASP.NET are the obvious choices, but if you're looking to do long term storage then you may run into a problem because they don't fire the Session_End event.
My employer (ScaleOut Software) has one of the rare out-of-process session providers that can fire Session_End. It's a commercial product, but it can be run for free on a single server if you only have basic needs and don't require all the scalability and fault tolerance that ScaleOut SessionServer can provide.
Just increase the session timeout property. If you want more fine grained control of the Session itself, you can change the sessionState mode to use a state server or SQL server (https://msdn.microsoft.com/en-us/library/ms178586.aspx)
I work with Session[""] objects in ASP .NET/C# MVC. I do a lot of checking on them, but I ask myself, what can destroy a session object without I specify it ?
I want to be sure that these Session[""] will be intact during some processes and can be only cleared by my instructions or if the user quit the application.
If you're using InProc, then a number of things can kill a sessions state. e.g.
Timeout (this can be set in config)
AppPool recycle
Web.Config change
Server crash
If you need a more durable solution, have a read of this article, and there's a few alternatives in this article too.
It's dependent on the type of session state you use.
InProc - sessions are destroyed if the web server process shuts down or crashes. The default shutdown time is 20 minutes after the IIS Application Pool is in active. If the IIS Application pool hits its memory limits it will also shutdown, so this is the least recommended approach for session state management.
StateServer - sessions are stored in a separate service on a server. The session will stay active until this service shuts down or is unavailable. It's more reliable than InProc, but if the service shuts down you loose any session data.
SQLServer - sessions are stored in a SQL database. This is the most robust solution and sessions are essentially guaranteed until you destroy them, but it's also the most complex to set up, requiring SQL server and a database.
Custom - Some other method of storing sessions that you would have to specify.
More information on the subject can be found in the links below.
http://msdn.microsoft.com/en-us/library/vstudio/ms178581%28v=vs.100%29.aspx
http://msdn.microsoft.com/en-us/library/vstudio/system.web.sessionstate.sessionstatemode%28v=vs.100%29.aspx
I am facing an issue in my application that whenever user search for any data and then keep the application idle for like 15-20 mins, and then try to perform any operation on the application, then the application crashes. I am using simple DevEx Grid to show data and ahve details rows and Popup control for that grid.
I think the issue is with the sessions as my application was unable to maintain the session for that duration and due to which application crashes.
Moreover, i have not used any session variables into my application for data.
I cannot find the real cause for this error.
Can somebody help me for the same.
You could write client side javascript to make ajax calls to the server.
This will keep your session alive.
It allows you to have a short timeout at the server, and still a long time out for idle users.
Be sure to have a timeout though, in case your user is away for a hour, the page should log him out.
You can just set the session timeout in IIS to a really high number or minutes (like 1440 for an entire day). This setting is in the "Session State" area.
Another option would be to use Opera as your browser, and load the page once. After that, use Opera's "reload page every..." option to automatically reload the page every minute. This would extend the session forever.
Since you don't store anything useful in session, you should make a way it could reload without crashing. For this you need to anylyse when the crash happens and find a way to prevent the crash. either by initializing with a sane default or catch the exception and start fresh.
i am having problems with an asp.net c# site whereby i am setting a session state object to true and then redirecting to another page that needs to check the value of the session state object and it is null.
Sometimes it is set correctly and other times is is simply null.
When i debug on my local machine it works perfectly every time. Only when i upload to my web server does this temperamental behaviour happen.
As it is based around the security of the site it is obviously important that the session data be valid and accurate every time.
Is session state data unreliable?
AFAIK its set to inproc, cookieless, 30 min timeout, vanilla installation of IIS.
Does anyone have any suggestions? Perhaps i need to thread.sleep inbetween the storing of the session data and the reading?
NB: the time between the write and the read is about 70ms.. ample time for the data to be written to RAM.....
No. It sounds like you are misusing session state. You can not rely on the user's session to be there. Your ASP.NET worker process could recycle, restarting the application and killing all sessions, or a file could change in your website, causing your application to restart and flushing all sessions, cookies could get flushed on the client, timeouts could happen, etc.
So you have to provide for all of these scenarios with Session State. Try to avoid using session state for things like this. If you're setting access inside your session state and you don't know exactly how it works, you could be opening your site up for a lot of security risks.
Everything point to a web farm. If you have different web servers on the production environment serving your application you would experiment this behavior.
I don't find any other explanation for this "WORKS ON MY MACHINE!"
I don't have an answer for your particular problem, but Claudio my be on to something.
What I have to say is that using session for security is so 90's. Literally.
FormsAuthentication was developed to replace that technique and does quite a fine job.
You should only rely upon session for trivial concerns that are easily recoverable.
Security is not one of those.
If the session state is lost, typically that's because your process either recycles or fails. I would never "rely" on the session state between pages. Instead you might want to try to persist data between pages some other way. Perhaps passing the information via form variables or saving the data in the database.
ASP.NET Profiles are a preferred way to save this sort of information. You might want to read ASP.NET State Management Recommendations.