65.9K
CodeProject is changing. Read more.
Home

Why Session.Timeout is not working for your website

Member 4532519
starIconstarIconstarIconstarIcon
emptyStarIcon
starIcon

4.61/5 (10 votes)

Sep 27, 2010

CPOL

2 min read

viewsIcon

112264

This article explains why Session.Timeout sometimes won't work for your website.

Introduction

If you look at any discussion forum related to Session, you will come across the issue of Session.Timeout not working properly. Why? I faced the same issue when I initially implemented session in my project.

Session can be set in the web.config file, or in the code-behind file using the Session.Timeout parameter which is provided by Microsoft. Before going into a detail discussion of why Session.Timeout does not work, first we need to look at the architecture of IIS. Then we can easily understand when Session.Timeout fails or when it works.

If you look at the above architecture of IIS, we have different application pools available. If we want, we can create new application pools. We also have a default application pool. For each and every application pool, a worker process will be created as a result of which each and every application pool can run independently. Moreover, each and every application pool will have its own session timeout value. This means that when the session timeout value is reached, the application pool will be restarted. If we want, we can change the session timeout value in IIS (right click on the application pool's properties -> there we can see the session parameter). And whenever we create a web site that will fall under any one of the application pools, if we don't specify anything, then they will fall under the default application pool. The website shown below has its own session timeout value:

  1. Open IIS, then right click on the websites and got to the Properties window

  2. Click on the home directory

  3. Then click on the configuration

  4. Click on the Options

If we look at the above figure, we can see the session timeout parameter. This is at the web site level, and Microsoft had provided a parameter for controlling this: Session.Timeout. Using this, we can change the session timeout value from the code-behind file.

The crux of this is, we have two things: the application pool that has its own session timeout value, and the web site that also has its session timeout value. Microsoft has given the parameter Session.Timeout to change the website session timeout value. not the application session timeout value. We have to understand one thing here: we have to make sure that the application pool session timeout value is always greater than the website session timeout value; only the will the Session.Timeout parameter work; otherwise, it won't. The reason is as follows: whenever the application session timeout is reached, the application pool will be restarted and because of that Session.Timeout of the website parameter won't work.

Points of Interest

Website Session.Timeout will work only when it is less than the application pool session timeout value; because whenever the application pool session timeout value is reached, that particular application pool will be restarted.