Windows Authentication and Session timeout

2
votes

We are using an ASP.NET web application, IIS 7.5 using Windows Authentication.

  • Anonymous, ASP.NET Impersonation, and Forms Authentication are all turned off.

Session timeout is set in the application at 120

< sessionState timeout="120" />

Application Pool idle timeout is set to 180, recycling is done each morning at 3:00 AM (lowest usage time). This does not happen in relation to updating files.

The users are logging in via Chrome or IE, and it works fine, until it doesn't.

User complain they are suddenly asked to log off after a few minutes of inactivity... sometimes. This does not happen all the time.

I have been looking at logs, events, etc and cannot find anything to let us know why this is happening.

Does anyone have any idea why this would be happening?

1
asp.netwindows-authenticationsession-timeout
stackoverflow.com/questions/3515947/losing-session-staterogerdeuce
I looked through this post in my search, it is a great post, but didn't solve my issue. Thank you for the reply.Bradley2u

1 Answers

0
votes

Make sure the idle timeout isn't set on the app pool in IIS. The default for that setting is 20 minutes (which leads to confusion over whether the timeout was triggered by session timeout or idle timeout) and in most cases can be safely set to 0, which turns it off.

To check the idle timeout in IIS, go to Advanced Settings for the app pool.

The idle timeout is a sliding window based on activity for the app, so requests from any client will reset the window. If your app is lightly used, you'll hit the timeout frequently, causing your app pool to recycle. The impact to users is that any sessions that had been active will be lost, and users walking up to your app after it has been idle will have to wait for it to run all of its start up processes.

https://technet.microsoft.com/en-us/library/cc771956(v=ws.10).aspx