Tuesday, September 14, 2010

Session Timeout Settings in IIS7

We did a release to a production environment running IIS7.x, .NET 4, MVC2, etc. Everything went smoothly and after several hours, we started to get calls about time-out issue. Our users want the time-out to be 1 hour (the current setting) which is obviously longer than 20 minutes (which is the default setting).

I remember changing and rechecking this parameter value in the web.config and also in the IIS box, both in our test and production environments. So we double checked and everything was setup correctly - so we did our own test. After 10 minutes, no time out - as expected. But on the 20-25 minutes test, we did get a time out. We triple-check our web.config and application pool setting - they are all setup correctly.

So, apparently, I missed one other time out setup in IIS - the cookie time out. Basically there are 3 (or 4 depending on your authentication setup) settings that need to be managed. IIS will use the lowest value. The main 3-4 settings that I have to change are:
  1. Application Pool - - Advanced Settings Menu - Process Model - Idle Time-out (minutes)
  2. Sites - - Session State - Cookie Settings - Time-out (in minutes)
  3. If you are using State Server or SQL Server to manage your session (instead of InProcess), you will need to set these values up too: Sites - - Session State - Session State Mode Settings
  4. Under web.config - system.web - authentication mode - forms - timeout (for form authentication)
-- read more and comment ...