IIS idle-timeout is not working

0
votes

I have set Idle-timeout to 1 minutes for the purpose of testing. In addition, I have a SessionState timeout is set to 3 minutes. SessionState timeout is working just fine, but IIS Idle-timeout is not working?

For your information, I have checked the file ApplicationHost.config, the setting is already there

<system.applicationHost>
     <applicationPools>
        <add name="dev_web_core" autoStart="true" startMode="AlwaysRunning">
                <processModel idleTimeout="00:01:00" />
                <recycling>
                    <periodicRestart time="00:00:00">
                        <schedule>
                            <clear />
                            <add value="01:00:00" />
                        </schedule>
                    </periodicRestart>
                </recycling>
            </add>
     </applicationPools>
</system.applicationHost>
1
asp.netasp.net-mvciis
What do you mean by not working? No timeout at all or not the desired one? Are you testing your web app with IIS, IIS-Express or Cassini, and which version? Are you testing in debug mode? (<compilation debug="true" ... in web.config.) - Frédéric
@Frédéric, I meant no timeout at all. In other words, after the timeout is passed, the user is not redirected to the login page. I'm testing the web-app with IIS Version 8.5.9600.16384 on Microsoft Windows Server 2012 R2. Thanks - Abdulkarim Kanaan

1 Answers

0
votes

Based on your comment, it seems you expect the application pool idleTimeout to cause an authentication timeout. This is unrelated. This timeout triggers application pool recycling, which causes your application process to get stopped (and renewed if requests are coming).

Issued authentication tickets are unaffected by this process recycling (at least with frameworks like Asp.Net Identity, provided your site machine key does not change).

You should seek and setup the timeout of your authentication framework instead. With Owin by example, this can be setup when issuing the ticket.

var authenticationManager = HttpContext.Current.GetOwinContext().Authentication;
// Your custom expiration, preferably taken from some settings
var expiration = rememberMe ? 144000 : 30;
var now = DateTimeOffset.UtcNow;
authenticationManager.SignIn(
    new AuthenticationProperties
    {
        AllowRefresh = true,
        IssuedUtc = now,
        ExpiresUtc = now.AddMinutes(expiration),
        IsPersistent = rememberMe
    }, claimsIdentity);