This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 3%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESL%3C/text%3E%3C/svg%3E)
Hi,
I would like to increase the session timeout from 20 minutes to 4 hours.
To achieve this, in the ConfigureService of startup.cs, I have the following code
services.AddAuthentication("SampleAuth")
.AddCookie("SampleAuth", config =>
{
config.Cookie.Name = "Sample.Cookie";
config.LoginPath = "/Login/Index";
config.AccessDeniedPath = "/Login/Unauthorized";
config.ExpireTimeSpan = TimeSpan.FromMinutes(240);
config.SlidingExpiration = true;
});
services.AddSession(options => { options.IdleTimeout = TimeSpan.FromMinutes(240); });
In Configure method, I have app.UseSession();
Also, in the IIS, I have increased the session timeout to 4 hours.
However, the session still timeout after 20 mins.
Can you please let me know what else I am missing?
Thank you.
Maybe you should also set the value of options.Cookie.Expiration?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
session is unrelated to the authentication cookie. session uses its own cookie with an expiration time. most likely your server is going idle and being recycled, thus changing the encryption keys, making both cookies invalid.
either use a persistent key storage provider, or disable idle shutdown.
Thanks for your reply. Is this something new with .net core? I dont know if disabling idle time was required in pre .net core era. Increasing session state in IIS was all that was required.
the same issue with classic asp.net, but you could define machine key values in the web.config, so it worked like a persistent key store.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 78%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
Hi @Stuart Little ,
By default, the session's data is stored inside the server memory and the IIS contains the idle-timeout. The idle-timeout default value is 20 minutes. If there is no request send to the server during 20 minutes. The IIS will terminate the application pool's worker process. If you don't want to use other storage like redis or storage to store the session data, I suggest you could modify the idle tomeout to 0.
More details about how the session state works inside the IIS, I suggest you could refer to this article.
Can the following Microsoft document help?
Session and state management in ASP.NET Core
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-6.0
As for the "Increasing session timeout" see the following section:
Configure session state
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-6.0#configure-session-state
I would like to increase the session timeout from 20 minutes to 4 hours.
Try to set: options.IdleTimeout = TimeSpan.FromHours(4);
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 53%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPG%3C/text%3E%3C/svg%3E)
Hi @SurferOnWww ,
If this is running on IIS will this override the IIS 20 minute default idle-timeout and thus continue to be valid up to 4 hours, or will IIS still recycle the pool and thus change the encryption keys as mentioned by @Bruce (SqlWork.com) ?
See also the answer by @Brando Zhang-MSFT
Thanks