This is a broad topic so I’ll try to spare too many details and give you basics.
- Session Timeout: Get and sets the amount of time, in minutes, allowed between requests before the session-state provider terminates the session.
- Forms Authentication Timeout (Expiration): Is used to specify a limited lifetime for the forms authentication session. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie.
My experience was that I had users of an application request to set the session timeout to 60 minutes. Simple enough I thought... I will add some code that sets the session timeout.
Session.Timeout = SomeConfigurableValue
WRONG! Actually this was still needed but didn't fully solve the problem. The application was using Forms Authentication. There is also a timeout for forms authentication. Simple enough I thought... I will add some code that sets the forms authentication ticket timeout.
Dim authTicket As New FormsAuthenticationTicket(1, crlLogin.UserName, DateTime.Now, DateTime.Now.AddMinutes(SomeConfigurableValue), isCookiePersistent, Nothing)
WRONG AGAIN! Actually this was also needed but I was still missing a piece of the puzzle. In IIS (specifically 7.0) there are basically two ways you can manage session state: 1) In Process or 2) Out of Process (there are different varieties of this kind). This site was setup to store session state In Process. This means that the session state is stored inside the worker process (w3wp.exe). Within IIS there is a Idle Timeout property… which by default is set to 20 minutes. Therefore if there is no activity against that site for 20 minutes the worker process will go away taking with it any sessions since the site manages session state In Process. After understanding how this works it made sense why users were SOMETIMES saying the session timeout wasn't 60 minutes. Let's take a look at a couple of scenarios.
#1 Session State Active for 60 Minutes
User ABC logs on at 2:00 PM, performs some action, and doesn’t attempt to do anything else until 2:50 PM. User XYZ logs on at 2:10 PM and performs some action. Then user XYZ performs other actions at 2:25 PM and 2:40 PM. When user ABC tries to review a users account 2:50 PM there session will still be intact.
#2 Session State Not Active for 60 Minutes
User ABC logs on at 2:00 PM, performs some action, and doesn’t attempt to do anything else until 2:50 PM. User XYZ logs on at 2:10 PM, performs some action, and doesn’t attempt to do anything until 2:45 PM. When both users try to perform their second action they will be required to log back in. This is because IIS recycled the worker process on the server because the worker process was idle for 20 minutes.
There are ways to overcome this however the answer isn't trivial. If you just bump the Idle Timeout property this may have implications on your environment. There also the option of store the session state out of process and this is up to you to decide how to want to manage this.