ASP.NET Session Timeout Vs Forms Timeout Vs IIS Idle Timeout

When you are working with ASP.NET web applications, you might come across with different types of application timeout settings. A timeout refers to when your application user’s session is being timed out. In this article we will see the possible reasons why your application is timeout and when to use/change timeout setting.

The application timeout is applied at below places in ASP.NET applications:

1. Session State timeout
2. Forms timeout (for Forms Authentication)
3. Application Pool timeout

Session State Timeout:

The Session State timeout will be set either via application’s web.config file or IIS Manager website settings.

In Web.confile, the timeout is configured at sessionState tag which is under the system.web node as shown below.

If you would like to set the timeout via IIS Manager then open IIS Manager, select your website under the Sites node, click on the Session State in right side panel as shown below.

Then you should see a timeout setting under the Cookie Settings section.

The timeout accepts a number in minutes either way you set from Web.config or IIS Manager. 

The session timeout here means that how long the user session is valid to expire, which is created on their first request to the application. 

Let say, you add some value/object to session and session time is 20 minutes, then the data stored in the session will be removed after 20 mins.

Forms Timeout:

The Forms Timeout is another timeout setting in web.config if you are using the Forms Authentication.

The timeout in Forms Authentication refers to number of minutes to expire the authentication cookie, which is created while user sign in via Forms Authentication. Once the cookie is expired, the user no longer be authenticated and pushed back to login url page. And, the timeout will behave based on the sliding expiration true or false as you configured in web.config file.

When you set slidingExpiration=true, the timeout will be counted from the last request to server.

When you set slidingExpiration=false, the timeout will be counted from the moment user login to application irrespective of user makes a request within the timeout value or not.

Application Pool timeout:

IIS Application Pool also has another timeout setting which is called Idle Timeout setting. To view or modify this value, go to IIS Manager and visit the Application Pools which is under root IIS Server name. Select your application pool and click on the ‘Advanced Settings…’ link under the right side Action pane.

You should be able to see the Idle timeout setting under a launched dialog as shown below:

The Idle timeout of application pool refers to the number of minutes to shutdown the application pool. Which means that, if the application is idle and there are NO new requests come within the specified timeout minutes by any user then the application pool will be shutdown the worker process and releases all the resources.

Even though it is good to preserve the server resources, the drawback of this Idle timeout is the first new request after the application pool shutdown will take longer time to serve it, because of worker process needs to start again, load all the application’s assemblies and then load and process the requested page. The amount of time it takes to serve the new request is completely depends on the size, server capacity, and complexity of the application, somewhere couple of seconds to 20+ seconds.

If you wish to disable the behavior of Idle timeout, then just change the default value of 20 minutes to 0, so that application pool will never shutdown.

Keys to remember:

1. Session state timeout and Forms authentication timeout are two different things.

2. Session State timeout will tell you when your data in session will expire.

3. The forms authentication timeout will tell you, when your authentication cookie will expire.

4. Application pool Idle timeout will tell you when your application pool will shutdown when NO new requests to server.

5. If your forms timeout is having lesser value than session state timeout, then your session data will still be available after relogin.

6. If your form timeout is having higher value (with slidingExpiration=true) then your session state timeout will be reset whenever the new request come to server. So, your session data will always be available.

7. If your form timeout is having higher value (with slidingExpiration=false) then your data in session will be expired before forms authentication timeout.

8. If your application pool Idle timeout value is lesser than session state value, then application pool will shutdown first before session data expires. Once application pool shutdown, your session data no longer available.

Thank you for reading the article and hope it helps the way you need. Have any queries? Please use the below comment box for further clarifications. Please visit here for more technical articles.