Session timeout in ASP.NET

Question

I am running an ASP.NET 2.0 application in IIS 6.0. I want session timeout to be 60 minutes rather than the default 20 minutes. I have done the following

1. Set <sessionState timeout="60"></sessionState> in web.config.
2. Set session timeout to 60 minutes in IIS manager/Web site properties/ASP.NET configuration settings.
3. Set idle timeout to 60 minutes in application pool properties/performance.

I am still getting a session timeout at 20 minutes. Is there anything else I need to do?

Answer 1

Are you using Forms authentication?

Forms authentication uses it own value for timeout (30 min. by default). A forms authentication timeout will send the user to the login page with the session still active. This may look like the behavior your app gives when session times out making it easy to confuse one with the other.

<system.web>
    <authentication mode="Forms">
          <forms timeout="50"/>
    </authentication>

    <sessionState timeout="60"  />
</system.web>

Setting the forms timeout to something less than the session timeout can give the user a window in which to log back in without losing any session data.