Share via

Azure App Service Session Timeout Issue Behind Application Gateway

N. Nifan 55 Reputation points
2025-03-20T13:59:32.08+00:00

Hello Microsoft Community,

We are facing session timeout issues with our applications hosted on Azure App Service behind an Application Gateway with WAF enabled. Users can access the applications normally, but after some time, the session expires automatically.

Environment Details:

  • App Services: Multiple applications running on Azure App Service
  • Load Balancer: Azure Application Gateway with WAF enabled
  • Session Handling: Managed by the application
  • Authentication: [Specify if using Azure AD, cookie-based auth, JWT, etc.]

Troubleshooting Steps Taken:

  1. Enabled "Always On" for all App Services.
  2. Increased Application Gateway request timeout to 600 seconds (previously 120 sec).
  3. Checked App Service Logs – No unexpected cold starts were found.
  4. Reviewed authentication/session configuration in the application – No changes that should cause session drops.
  5. Checked WAF Logs – No clear indicators of session termination yet.
  6. Tested direct access to App Service URL (yourapp.azurewebsites.net) without WAF/Application Gateway – [Mention if the issue still occurs or not].

Request for Help:

  • Could WAF settings be terminating the session unexpectedly?
  • Is there any hidden session timeout setting in Azure App Service we should check?
  • Are there any other timeout values in Application Gateway that could cause this?
  • Any recommendations on debugging this further?

Would appreciate any insights or guidance on resolving this issue!

Thanks in advance! 🚀

User's image

User's image

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,672 questions
Accepted answer
  1. Siva Nair 1,400 Reputation points Microsoft External Staff
    2025-03-20T21:58:00+00:00

    Hi N. Nifan,

    Here are some detailed based on the points you mentioned,

    1. Could WAF settings be terminating the session unexpectedly?

    Yes, WAF settings could potentially terminate sessions unexpectedly. WAF rules are designed to protect your applications from various threats, but sometimes they can be overly aggressive and block legitimate traffic. It's essential to review the WAF logs for any blocked requests or anomalies that might be causing session terminations. Look for any rules that might be triggered frequently and consider adjusting them if necessary.

    1. Is there any hidden session timeout setting in Azure App Service we should check?

    Azure App Service itself does not have a hidden session timeout setting that you can configure directly. However, session timeouts are typically managed within your application code. For example, in a web application, you can set the session timeout in the web.config file or through application settings. Ensure that your application is correctly managing sessions and that session tokens or cookies are not being invalidated prematurely.

    1. Are there any other timeout values in Application Gateway that could cause this?

    The Azure Application Gateway has a default request timeout of 20 seconds, which can be increased up to 4 minutes. You've already increased it to 600 seconds, which should be sufficient. However, ensure that the backend services are configured to handle long-running requests appropriately. Additionally, check if there are any other timeout settings in your application or infrastructure that might be causing the issue.

    Recommendations for Debugging

    1. Review Application Logs: Continue monitoring the application logs for any signs of session drops or errors that might indicate the cause of the issue.
    2. Check WAF Logs: Look for any blocked requests or anomalies in the WAF logs that might be terminating sessions unexpectedly.
    3. Direct Access Testing: Confirm whether the issue persists when accessing the App Service URL directly without the Application Gateway. This can help isolate whether the problem lies with the Application Gateway or the App Service.
    4. Session Management: Ensure that your application is correctly managing sessions and that session tokens or cookies are not being invalidated prematurely.
    5. Consult Documentation: Refer to the Azure documentation for detailed guidance on configuring session timeouts and managing sessions in Azure App Service and Application Gateway.

    Microsoft.Network/applicationGateways - Bicep, ARM template & Terraform ...

    Azure Application Gateway documentation | Microsoft Learn

    Azure Firewall and Application Gateway for virtual networks

    If you have any further assistant, do let me know.

    If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.