ASP.Net 2.0 Unexpected Session Timeout

[Jack]

We running an ASP.Net 2.0 app on IIS 6. We're trying to set a session
timeout to 4 hours (business requirement). We've tried setting the timeout
at login via code, setting it in the global.asax, and setting it in the
web.config. We still get random timeouts, sometimes less than 5 minutes
after login.

We're logging pages that have had their session variables cleared in the
event logs, and it's on multiple pages. It's like something is recycling
the worker process, but I don't know why it would.

Any ideas?

 

[bruce barker]

you need to set the asp.net idle time to more than 4 hours, so automatic
recycles don't happen. then you need to check the event logs to se how
often and you are getting recycles (too much memory, file/dir changes, etc).

-- bruce (sqlwork.com)

 

[Kevin Spencer]

First of all, setting Session Timeout to 4 hours is not a business
requirement. A business requirement is defined as what the application
should do, not how it should do it; how it should do it is called "design,"
"architecture," or a "solution."

Second, as design, architecture, or a solution, it is a very bad idea.
You're trying to do something with Session that Session is not designed to
do. Sessions time out to prevent memory resources on the server from being
wasted. When a Session is created, memory is allocated to that Session.
Since it is not known when the user will stop making requests to the server,
the Session automatically times out after an interval in order to free up
the memory allocated. By setting Sessions to time out after 4 hours, you
ensure that every user that logs on the the application will have memory
allocated for a period of 4 hours, regardless of how long the user is using
the application. In fact, the 4 hour interval doesn't start until the last
request is sent to the server. So, if a user goes away from his/her computer
for 3 hours and comes back to access the application, the Session is reset,
assuming that the user hasn't shut down his/her browser, in which case a new
4-hour Session is started.

There are other problems with this solution as well. While the server may
allocate Session memory for 4 hours, that doesn't stop the client from
closing the browser window and opening another. Depending upon the actual
business requirements for which this solution was proposed, there may be
serious security issues as well.

Your web application may be recycling due to excessive memory usage. If the
amount of memory being consumed by a web application reaches a certain
critical point, this will happen automatically.

There are any number of better solutions to satisfy the (as yet unnamed)
business requirement for which this ill-advised solution was devised. Just
about any of them would be better for you. If you can share with us the
actual business requirement, that would be a good starting point.

--
HTH,

Kevin Spencer
Microsoft MVP

Printing Components, Email Components,
FTP Client Classes, Enhanced Data Controls, much more.
DSI PrintManager, Miradyne Component Libraries:
http://www.miradyne.net

 

[Brian Simmons]

Why does this happen on practically every thread in these MS forums.
Some poor soul posts a question that "violates" someone's personal agenda,
and that person feels compelled to jump in and tell the user why what
they're doing is "wrong" and how they're going to hell for doing it.

Why can't you just let the original poster be? He had a legitimate
question, and yes he's setting the sessiontimeout to something ridiculous,
but who really cares.
Chiming in with "that stupid" comments and then question the whole
architecting decision doesn't help the guy at all.

Just let him be, and if you don't have a solution or suggestion to his
specific problem, let it be. Keep your personal agenda to yourself.

Perhaps his application is used solely by the CEO of the company, and the
CEO has personally requested a 4 hour timeout. The CEO signs his paycheck,
you don't think the original poster is going to do everything within his
power to meet the CEO demands.

Why is it that seemingly every thread gets high-jacked like this???

 

[carion1]

I guess it was ok for you to do the same...

Why does this happen on practically every thread in these MS forums.
Some poor soul posts a question that "violates" someone's personal agenda,
and that person feels compelled to jump in and tell the user why what
they're doing is "wrong" and how they're going to hell for doing it.

Why can't you just let the original poster be? He had a legitimate
question, and yes he's setting the sessiontimeout to something ridiculous,
but who really cares.
Chiming in with "that stupid" comments and then question the whole
architecting decision doesn't help the guy at all.

Just let him be, and if you don't have a solution or suggestion to his
specific problem, let it be. Keep your personal agenda to yourself.

Perhaps his application is used solely by the CEO of the company, and the
CEO has personally requested a 4 hour timeout. The CEO signs his paycheck,
you don't think the original poster is going to do everything within his
power to meet the CEO demands.

Why is it that seemingly every thread gets high-jacked like this???











- Show quoted text -

 

[mark4asp]

Just let him be, and if you don't have a solution or suggestion to his
specific problem, let it be. Keep your personal agenda to yourself.

Kevin is trying to give someone best long term advice which I think is
better than just giving the punter a piece of Elastoplast.

Perhaps his application is used solely by the CEO of the company, and the
CEO has personally requested a 4 hour timeout. The CEO signs his paycheck,
you don't think the original poster is going to do everything within his
power to meet the CEO demands.

Sometimes you need to have the balls to look the CEO in the face and
tell them they're wrong and they can't do that - and maybe even hint
that you'll leave if they continue interfering in matters that are
beyond their ken.

 

[Jack]

Kevin,

Thanks for the tough love. Basically our app will serve < 20 users.
Session seemed the easiest way to maintain things from page to page. Our
users have requested that their login persists half a day. We started with
30 minute sessions, as most people logging into the app will be using it
throughout the day. However, we kept getting timeouts, sometimes in less
than 5 minutes. It uses no memory-hogging controls, no typed datasets, all
database connections are closed (not explicitly disposed, but I thought in
ASP.Net 2.0 that was not an issue). I think it is a recycling issue, but
can't trace what is causing the recycle. The IIS app pool is set to recycle
in some number of minutes, we keep bumping it up. I just now changed it to
only recycle at midnight in hopes that may do the trick. Trust me I would
prefer the sessions not be set so long, we just can't make it work.

We can not pass variables through the querystring. The only other options I
know of are cookies and sessions (which as I understand use cookies). Are
you saying go to cookies? Or is there another method? I know you can
persist state in the db, but at the end of the day you still need a cookie
or session variable in that case to identify the data, correct? Plus you
get more overhead db calls then?

And so I understand sessions better, if they are not intended for
application / variable use, do they have any purpose other than memory
allocation? If not, then why do session variables even exist? I'm not
being a punk, just wondering why something even exists if it is not intened
to be used.

Thanks for any help.

 

[Juan T. Llibre]

Could you consider not using Sessions at all and, instead
implementing a Forms-based authentication scheme
whose timeout you can set to any length of time you want to ?

We running an ASP.Net 2.0 app on IIS 6. We're trying to set a session timeout to 4 hours (business requirement).
We've tried setting the timeout at login via code, setting it in the global.asax, and setting it in the web.config.
We still get random timeouts, sometimes less than 5 minutes after login.

 

[Patrice]

This is because knowning what is the problem the choosen solution is
supposed to solve, could raise better suggestions (such as shown in this
thread by Juan's answer that suggest an alternate approach).
Generally I introduce this in a smoother way such "You may want to tell us
what you are trying to do as it could raise alternate suggestions for
solving this problem".

Now back to the original point :
APS.NET 2.0 introduces an "health monitoring" feature. You should be able to
see this easily by adding :
<healthMonitoring>
<rules>
<add name="Application Lifetime Events" eventName="Application
Lifetime Events" provider="EventLogProvider"/>
</rules>
</healthMonitoring>
in your web.config file (see
http://msdn2.microsoft.com/en-us/library/ms178703.aspx for details).

Now you should have entries in your event log each time the application
starts/stops all along with the reason.

 

[Jack]

Thanks Patrice. That sounds like what I was looking for.