Wednesday, October 19, 2011
ASP.NET Session Timeouts
In ASP.NET there are lots of timeouts. In this blog entry I will be covering in great detail Session timeout due to the complexity of the issue and the fact that I can never remember where all the setting are and what they are for. I am not covering other timeouts except Script Timeout.
SIDE NOTE: Web services that you consume have timeouts before ASP.NET stops waiting for a response from a web service, but I am not covering that here. The web services on the server side have timeouts that are independent of the ASP.NET consuming the web service. I am also not covering timeouts associated with database connections or authentication either. It is however important that all these timeouts be be compatible with each other, otherwise you will get undesirable behavior. For example, don't set your execution time to less than the database timeout. Or don't set the application recycle to be less than the session timeout.
SessionState Timeout
This is the number of minutes before an ASP.NET user session is terminated. It must be an integer, and it is in minutes. The default is to terminate the session after 20 minutes and the application will throw an exception when accessing an terminated session. Another way to think of this is that it is the time between requests for a given session (which is per user) before a session is terminated.
I recommend reading Idle Timeout section below to see how these are related.
Using Web.config
<system.web> <sessionState timeout="20" />
<system.web>
Using IIS You can get to the setting by: Open IIS | Properties on Web Site | ASP.NET tab | Edit Configuration... (or Edit Global Configuration to change for more than one site) | State Management tab.
Here you will see a textfield with a label that says "Session timeout (minutes) with a default value of 20 minutes.
Session Timeout Event
When the session times out it fires an event called: Session_End and then when the user hits the page again (after it has expired or the first time), it will start a new session and the Session_Start event is called. It is important to know that the only thing you can really do in the Session_End event is do clean up. This is because this event fire even if a user doesn't hit a page again. In other words, if a session times out due to inactivity, the Session_End is fired even if the user never refreshes the page, etc. It is independent of the page lifecycle. These events are defined in the Global.asax file.
Detecting when a session has timed out The short answer to this is that you have a session time when the following conditions are met:
Context.Session != null
AND Context.Session.IsNewSession == true
AND Page.Request.Headers["Cookie"] != null
AND Page.Request.Header["Cookie"].indexOf("ASP.NET_SessionId") >= 0
The long answer is read this blog for more details and sample code: http://www.eggheadcafe.com/articles/20051228.asp
and http://aspalliance.com/520
Idle Timeout
IIS 6.0 (and probably 7) has a setting that controls how idle processes are handled.
This can also affect the session timeout indirectly. This is the case when let's say you have the Idle timeout set to 10 minutes to save resources. If your site is not used a lot and say that the only user using your site stopped using it 10 minutes ago, this means that your application will get recycled. One of the side effects of an application getting recycled is that all sessions are terminated also. So, in this case even if your session is set to timeout say in 30 minutes, under some conditions (little traffic), it is effectively 10 minutes.
If you have low traffic on your application I strongly recommend you set the Idle Timeout to at least as long as your session timeout, otherwise you will effectively be limiting the session time to the Idle Timeout when there is very little traffic on your site. This is in my cases not the desired behavior.
Here is what the help docs in IIS say:
"Idle timeout limits helps conserve system resources by terminating unused worker processes by gracefully closing idle processes after a specified idle duration. This allows you to better manage the resources on particular computers when the processing load is heavy, when identified applications consistently fall into an idle state, or when new processing space is not available."
Open IIS | Properties on the App Pool you are using | Performance tab Here you will see a setting that says: "Shutdown worker processes after being idle for 20 (time in minutes)" where 20 is the default.
NOTE: Some shared hosting provider don't allow you to access or change this value. In this case one option is to at a set interval ping your application (from a program running on another computer) to keep it alive and thus not get recycled. Though some providers may change the setting so that all application are recycled at particular times as well. Best of luck working with shared hosting providers. I would love to have feedback on a shared hosting provider that has settings that are good for low traffic sites.
Recycle Worker Processes
IIS 6.0 (and probably 7) has a another setting that you can set that determines when the worker processes are recycled.
Open IIS | Properties on the App Pool you are using | Recycling tab
Here you will see a setting that says:
"Recycle worker processes (in minutes):" with a default value of 1740 which is 29 hours.
Classic ASP - Session State timeout in IIS There is a setting in IIS 6 (and probably 5 and 7) that controls the session timeout in minutes if the user does not refresh or change pages in the specified number of minutes. This is for Classic ASP pages NOT ASP.NET. So don't worry about this for ASP.NET. I added it here since it can be confusing You can get to the setting by: Open IIS | Properties on Web Site | Home Directory tab | Configuration button | Options tab.The field label is "Session timeout:" and the value is 20 minutes as the default value.
Classic ASP - Script timeout in IIS There is a setting in IIS 6 (and probably 5 and 7) that controls the script timeout in seconds. This is the time that ASP allows a script to run before it stops the script and records the event in the Event Log. This is for Classic ASP pages NOT ASP.NET. So don't worry about this for ASP.NET. I added it here since it can be confusing. You can get to the setting by: Open IIS | Properties on Web Site | Home Directory tab | Configuration button | Options tab.The field label is "ASP script timeout:" and the value is 90 seconds as the default value.
Alternate Timeout handling Mechanisms In some cases you want to inform the user about session timeout status or automatically have it renew, or maybe any other sort of action. You can use JavaScript / AJAX to accomplish this. If you have access to IIS configuration and you are something like an Intranet you can set your application pool to not recycle if you have enough resources, and set an extremely long session timeout and then handle the timeout on the client side instead. This appears to be a much better experience for the user in general. However, you can also use these techniques to just improve the experience the user has when a session times out.
This article goes into great detail so I won't. The article (http://ajaxpatterns.org/Timeout) does such a wonder job of explaining it. It is complete with demos as well.
Here is a nice link (http://www.pascarello.com/AjaxSessionTimer.aspx) to a timeout warning message box that shows when your session is about to expire. It does not get past the issue of the application being recycled so be sure to adjust that as recommended above.
Here is a link to stuff to make your UI look really cool: http://script.aculo.us/
Script Timeout
While this is not really session timeout, it could affect it in rare instances so I am mentioning it here for completeness. This is the maximum time an .aspx page can run before timing out. It can be set in two places. Either the web.config (or machine.config for all sites) or via code using Script.ScriptTimeout. If you have debug enabled in web.config then the Server.ScriptTimeout is set to 30000000 seconds (or 347.2 days). Otherwise the default is 90 seconds. This setting is most important if you have long requests that need processing like file uploads, etc. In general the defaults are probably ok.
Using the web.config
This sets the timeout to 3 minutes.
<compilation debug="false"/>
<httpRuntime executionTimeout="180" />
Using code
Server.ScriptTimeout
Using IIS
You can get to the setting by: Open IIS | Properties on Web Site | ASP.NET tab | Edit Configuration... (or Edit Global Configuration to change for more than one site) | Application tab.
Here you will see a textfield with a label that says "Request Execution timeout (seconds):" with a default value of 110 seconds.
IMPORTANT NOTE: Be sure to uncheck the "Enable debugging" checkbox next to this field, otherwise, the value will be ignored and set to the 30,000,000 seconds that debugging defaults to.
SIDE NOTE: Web services that you consume have timeouts before ASP.NET stops waiting for a response from a web service, but I am not covering that here. The web services on the server side have timeouts that are independent of the ASP.NET consuming the web service. I am also not covering timeouts associated with database connections or authentication either. It is however important that all these timeouts be be compatible with each other, otherwise you will get undesirable behavior. For example, don't set your execution time to less than the database timeout. Or don't set the application recycle to be less than the session timeout.
SessionState Timeout
This is the number of minutes before an ASP.NET user session is terminated. It must be an integer, and it is in minutes. The default is to terminate the session after 20 minutes and the application will throw an exception when accessing an terminated session. Another way to think of this is that it is the time between requests for a given session (which is per user) before a session is terminated.
I recommend reading Idle Timeout section below to see how these are related.
Using Web.config
<system.web> <sessionState timeout="20" />
<system.web>
Using IIS You can get to the setting by: Open IIS | Properties on Web Site | ASP.NET tab | Edit Configuration... (or Edit Global Configuration to change for more than one site) | State Management tab.
Here you will see a textfield with a label that says "Session timeout (minutes) with a default value of 20 minutes.
Session Timeout Event
When the session times out it fires an event called: Session_End and then when the user hits the page again (after it has expired or the first time), it will start a new session and the Session_Start event is called. It is important to know that the only thing you can really do in the Session_End event is do clean up. This is because this event fire even if a user doesn't hit a page again. In other words, if a session times out due to inactivity, the Session_End is fired even if the user never refreshes the page, etc. It is independent of the page lifecycle. These events are defined in the Global.asax file.
Detecting when a session has timed out The short answer to this is that you have a session time when the following conditions are met:
Context.Session != null
AND Context.Session.IsNewSession == true
AND Page.Request.Headers["Cookie"] != null
AND Page.Request.Header["Cookie"].indexOf("ASP.NET_SessionId") >= 0
The long answer is read this blog for more details and sample code: http://www.eggheadcafe.com/articles/20051228.asp
and http://aspalliance.com/520
Idle Timeout
IIS 6.0 (and probably 7) has a setting that controls how idle processes are handled.
This can also affect the session timeout indirectly. This is the case when let's say you have the Idle timeout set to 10 minutes to save resources. If your site is not used a lot and say that the only user using your site stopped using it 10 minutes ago, this means that your application will get recycled. One of the side effects of an application getting recycled is that all sessions are terminated also. So, in this case even if your session is set to timeout say in 30 minutes, under some conditions (little traffic), it is effectively 10 minutes.
If you have low traffic on your application I strongly recommend you set the Idle Timeout to at least as long as your session timeout, otherwise you will effectively be limiting the session time to the Idle Timeout when there is very little traffic on your site. This is in my cases not the desired behavior.
Here is what the help docs in IIS say:
"Idle timeout limits helps conserve system resources by terminating unused worker processes by gracefully closing idle processes after a specified idle duration. This allows you to better manage the resources on particular computers when the processing load is heavy, when identified applications consistently fall into an idle state, or when new processing space is not available."
Open IIS | Properties on the App Pool you are using | Performance tab Here you will see a setting that says: "Shutdown worker processes after being idle for 20 (time in minutes)" where 20 is the default.
NOTE: Some shared hosting provider don't allow you to access or change this value. In this case one option is to at a set interval ping your application (from a program running on another computer) to keep it alive and thus not get recycled. Though some providers may change the setting so that all application are recycled at particular times as well. Best of luck working with shared hosting providers. I would love to have feedback on a shared hosting provider that has settings that are good for low traffic sites.
Recycle Worker Processes
IIS 6.0 (and probably 7) has a another setting that you can set that determines when the worker processes are recycled.
Open IIS | Properties on the App Pool you are using | Recycling tab
Here you will see a setting that says:
"Recycle worker processes (in minutes):" with a default value of 1740 which is 29 hours.
Classic ASP - Session State timeout in IIS There is a setting in IIS 6 (and probably 5 and 7) that controls the session timeout in minutes if the user does not refresh or change pages in the specified number of minutes. This is for Classic ASP pages NOT ASP.NET. So don't worry about this for ASP.NET. I added it here since it can be confusing You can get to the setting by: Open IIS | Properties on Web Site | Home Directory tab | Configuration button | Options tab.The field label is "Session timeout:" and the value is 20 minutes as the default value.
Classic ASP - Script timeout in IIS There is a setting in IIS 6 (and probably 5 and 7) that controls the script timeout in seconds. This is the time that ASP allows a script to run before it stops the script and records the event in the Event Log. This is for Classic ASP pages NOT ASP.NET. So don't worry about this for ASP.NET. I added it here since it can be confusing. You can get to the setting by: Open IIS | Properties on Web Site | Home Directory tab | Configuration button | Options tab.The field label is "ASP script timeout:" and the value is 90 seconds as the default value.
Alternate Timeout handling Mechanisms In some cases you want to inform the user about session timeout status or automatically have it renew, or maybe any other sort of action. You can use JavaScript / AJAX to accomplish this. If you have access to IIS configuration and you are something like an Intranet you can set your application pool to not recycle if you have enough resources, and set an extremely long session timeout and then handle the timeout on the client side instead. This appears to be a much better experience for the user in general. However, you can also use these techniques to just improve the experience the user has when a session times out.
This article goes into great detail so I won't. The article (http://ajaxpatterns.org/Timeout) does such a wonder job of explaining it. It is complete with demos as well.
Here is a nice link (http://www.pascarello.com/AjaxSessionTimer.aspx) to a timeout warning message box that shows when your session is about to expire. It does not get past the issue of the application being recycled so be sure to adjust that as recommended above.
Here is a link to stuff to make your UI look really cool: http://script.aculo.us/
Script Timeout
While this is not really session timeout, it could affect it in rare instances so I am mentioning it here for completeness. This is the maximum time an .aspx page can run before timing out. It can be set in two places. Either the web.config (or machine.config for all sites) or via code using Script.ScriptTimeout. If you have debug enabled in web.config then the Server.ScriptTimeout is set to 30000000 seconds (or 347.2 days). Otherwise the default is 90 seconds. This setting is most important if you have long requests that need processing like file uploads, etc. In general the defaults are probably ok.
Using the web.config
This sets the timeout to 3 minutes.
<compilation debug="false"/>
<httpRuntime executionTimeout="180" />
Using code
Server.ScriptTimeout
Using IIS
You can get to the setting by: Open IIS | Properties on Web Site | ASP.NET tab | Edit Configuration... (or Edit Global Configuration to change for more than one site) | Application tab.
Here you will see a textfield with a label that says "Request Execution timeout (seconds):" with a default value of 110 seconds.
IMPORTANT NOTE: Be sure to uncheck the "Enable debugging" checkbox next to this field, otherwise, the value will be ignored and set to the 30,000,000 seconds that debugging defaults to.
