Changing timeouts for websites/web applications

7 01 2009

As the result of a recent request, I was required to change the timeout on one of the web applications I work on.

From researching this subject, I have found there are 3 timeouts used in the web.config file.

  1. forms timeout
  2. sessionState timeout
  3. cookie timeout

My web application only uses the first 2 of these 3 timeouts. The asp.NET default value for both of these is 30 minutes.  I changed both of these values to 60 minutes. However my web application was still timing out after 30 minutes. Confusion ensued!

After more research, I found there is also a timeout of sorts on the Application Pool you are using (set in IIS).  In the first tab of the properties, Recycling, there is an option to “Recycle worker processes (in minutes)”. Mine was set to 1740 minutes, so this wasn’t my problem, but worth a mention I feel as it could have been causing my problem.

I then decided to try adding another option into my web.config file. I had already added:

<authentication mode="Forms">
<forms timeout="60" />

So I then added:

<authentication mode="Forms">
<forms timeout="60"
slidingExpiration="true" />

The slidingExpiration property then comes with a small problem of it’s own. In MSDN’s words:

“If the SlidingExpiration attribute is true, the timeout attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users that have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed. This might result in a loss of precision.”

This basically means,  if you like me, set a timeout of 60 minutes, the expiration time of the authentication cookie is only updated if 30 idle minutes pass before the next request is made. So if a user signs in at 10:00 and then stays idle until 10:26 when they make a request, you would expect that the timeout would be reset and would next be expected at 11:26. In fact, because their request was made less than halfway into the timeout period, if they remain idle after their 10:26 request, the timeout will infact occur at 11:00.

There are various ways to get around this problem. I personally chose to live with it!

Even more research then uncovered there is another timeout of sorts if you are using the SqlProvider as your defaultProvider:

<membership defaultProvider="SqlProvider">

Another property that can be determined here is as follows:

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="60">

However, adding this property didn’t solve my problem either. So I removed it again!

After forum posting and more internet trawling, I found a snippet of code that was different to my own. Where I had added:

<sessionState timeout="60" />

The snippet of code I found was:

<sessionState mode="InProc" timeout="60" />

So I added in the mode and hey presto! It works!

So in summary, in order to change the timeout of my web application, I added the following lines to my web.config file:

<sessionState mode="InProc" timeout="60" />
<authentication mode="Forms">
<forms timeout="60" slidingExpiration="true" />