Configuring web application session timeouts

To manage, web application session lifecycle and timeouts, understanding and configuration of three different settings is required.

Q. Are you looking for a way to manage session timeout, or stuck where, increasing your timeout is not working?

To increase the session timeout, you need to look at all possible places, and should have complete understanding of different timeouts, that all will define user session life while active or inactive.  Three different timeouts that can affect user session life cycle are:

1) Authentication cookie timeout in config file

Assuming if you are using FormsAuthentication, you need to set timeout in config file as following:

    <authentication mode="Forms">
      <forms name="AppRootForms" loginUrl="Login.aspx" protection="All" timeout="20" path="/" slidingExpiration="true"/>

Where timeout is a time in minutes after which session cookie of user will expire. So above means, that after 20 minutes of inactivity, user’s session cookie will expire, and user will have to login again (i.e. create a new session) to use application/feature.


SlidingExpiration property in above configuration, if set to true, resets the timeout on each request from user, and if set to false, will force session expire after every N minutes, no matter even if user was actively using application. For more information see SlidingExpiration MSDN documentation.

Please note that, If you are using Windows Authentication, there could be a Active Directory domain policy to log users out of Windows Session.

Form authentication timeout can be set in code as well. So make sure to set it properly, if you are setting it in code like:

formsAuthentication.Timeout = System.TimeSpan.FromMinutes(20);

2) Server SessionState timeout in config file

SessionState configuration element is used to configure session management at server, including where session will be stored, whether it will be cookie-less etc. It also contains a timeout value, which defaults to 20 minutes. e.g. element in system.web would be:

<sessionState cookieless="false" timeout="20" mode="InProc"/>

In above, timeout “specifies the number of minutes a session can be idle before it is abandoned”. So this was the second place to look at.

3) Application Pool Idle time-out termination in IIS

Finally, even after you have icreased the timeouts of Authentication Cookie, and Server SessionState, user will be kicked out of session, if the application pool remained idle for certain time.

AppPool Idle Timeout


Now this last part might leave you scratching your head, if not configured properly, because it only affect when there is no activity in pool at all, means, there is not a single active user, so it is rare, but if probable, chances are low. So if the user really kicked out due to IIS App pool termination, it is hard to figure out.

If you have not mentioned timeouts for authentication cookie and session state in web.config file explicitly, look out for parent configuration files. (i.e. root web.config and machine.config etc)

Add comment

  Country flag

  • Comment
  • Preview

About Bajwa

Bajwa Thumbnail Ali Haider is a software developer and technology enthusiast based in London. He has over nine years of hands on experience in software design and development using Microsoft technologies on various fronts. He attempts to keep learning and applying cutting edge technologies and best practices, and his passion is to work on complex challenging projects and to develop data crunching frameworks.


    Tag Cloud