User session timeout issues on the WAF-protected web application. After two or three minutes, the session closes, but response times when making requests or navigating within the application are functioning accordingly.

Question

User session timeout issues on the WAF-protected web application. After two or three minutes, the session closes, but response times when making requests or navigating within the application are functioning accordingly.

Juan Eduardo Diaz 20

The logs within the login have been reviewed and no time periods exceeding 15 or 20 seconds have been found. However, user sessions are constantly being closed.

Juan Eduardo Diaz 20 Reputation points

2025-05-27T13:49:39.6+00:00

It is mainly when opening files or links from the application in new windows/tabs
Shravan Addagatla 1,530 Reputation points Microsoft External Staff Moderator

2025-05-27T14:39:04.7633333+00:00
Hi Juan Eduardo Diaz

I understand you're facing an issue with user sessions timing out too quickly on your WAF-protected web application. It might be related to the session timeout settings in your web application or could be at the WAF level. Here are a few things to check:

You check the session timeout settings in your web.config file and ensure that session state timeout is set to a longer duration. For instance, you can set it to 15 minutes like this:

<forms name=".ASPXAUTH" loginUrl="login.aspx" defaultUrl="default.aspx" protection="All" timeout="15" path="/" requireSSL="true" slidingExpiration="true"/>

And for the session state:

<configuration> <system.web> <sessionState mode="InProc" cookieless="true" timeout="15" /> </system.web> </configuration>

If users are opening files or links in new tabs, ensure there's no inactivity timeout configured that might be closing the session if the user doesn't interact with the original tab.

In case, if you're using ADFS for authentication, ensure that the lifetime of the Auth tokens is set correctly. You can set it with a PowerShell command like this:

Set-ADFSRelyingPartyTrust -TargetName "<RelyingPartyWebApp>" -ClaimsProviderName @("Active Directory") -TokenLifetime 15 -AlwaysRequireAuthentication $true

If you're using Azure Application Gateway with WAF, enable the diagnostic logs and see what the response time from the backend for the failed or timeout sessions and if backend is causing delay, ensure that the request timeout is set appropriately. Some users have reported session timeout issues when using WAF with Azure App Service. you can refer this article: azure-app-service-session-timeout-issue-behind-app

To isolate the issue, please try to access your application without AppGw WAF (e.g., using the direct Application URL) to see if the issue persists.

Could you provide the below information over private messages to investigate this issue further.

Which specific WAF service you're using?

Any authentication methods utilized?

Are there any custom policies affecting session management in your application?

Reproduce the issue and share the browser HAR trace to understand the cause.

Please add a comment if you have any questions. Thanks,
Juan Eduardo Diaz 20 Reputation points

2025-05-27T17:00:19.6533333+00:00

At this time, the WAF policy is in audit mode only. User session closures only occur when they pass through the WAF. If they pass directly, it does not cause any problems, so the application's own configuration file settings work fine. We will try to export the HAR trace
Shravan Addagatla 1,530 Reputation points Microsoft External Staff Moderator

2025-05-27T17:18:19.0933333+00:00

Hi Juan Eduardo Diaz

you can share both working and not-working HAR trace files over private messages to understand more about the issue. Thanks,
Venkat V 2,545 Reputation points Microsoft External Staff Moderator

2025-05-29T05:39:44.0933333+00:00

Hi Juan Eduardo Diaz

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

1 answer

Your answer

Juan Eduardo Diaz 20 Reputation points

2025-05-27T13:49:39.6+00:00

It is mainly when opening files or links from the application in new windows/tabs
Juan Eduardo Diaz 20 Reputation points

2025-05-27T17:00:19.6533333+00:00

At this time, the WAF policy is in audit mode only. User session closures only occur when they pass through the WAF. If they pass directly, it does not cause any problems, so the application's own configuration file settings work fine. We will try to export the HAR trace
Shravan Addagatla 1,530 Reputation points Microsoft External Staff Moderator

2025-05-27T17:18:19.0933333+00:00

Hi Juan Eduardo Diaz

you can share both working and not-working HAR trace files over private messages to understand more about the issue. Thanks,
Venkat V 2,545 Reputation points Microsoft External Staff Moderator

2025-05-29T05:39:44.0933333+00:00

Hi Juan Eduardo Diaz

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

Answer 1

Hi Juan Eduardo Diaz

If your Application Gateway is using HTTP/2, the TCP idle timeout is hardcoded to 180 seconds (3 minutes) by default and cannot be modified.

For HTTP/1.1, the Keep-Alive timeout is 120 seconds (non-configurable), and the TCP idle timeout is 4 minutes by default on public IPs—but this can be increased up to 30 minutes. If you're using a private IP, the idle timeout is fixed at 5 minutes.

User's image

Ref: What are the settings for Keep-Alive timeout and TCP idle timeout?

Check if the suggestion below can resolve your issue.

Check if HTTP/2 is enabled and test with it disabled temporarily.

$appgateway = Get-AzApplicationGateway -Name test -ResourceGroupName hm
$appgateway.EnableHttp2 = $false
Set-AzApplicationGateway -ApplicationGateway $appgateway

Consider enabling session affinity (cookie-based affinity) if not already configured enable by navigating to Backend settings and select your backend settings and enable

Once you enable the cookie-based affinity setting for the service, it directs subsequent traffic from the same user session to the same backend server for processing. follow the Enable cookie-based affinity with Application Gateway
User's image

I hope this helps to resolve your issue. Please feel free to ask any questions if the solution provided isn't helpful.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

User session timeout issues on the WAF-protected web application. After two or three minutes, the session closes, but response times when making requests or navigating within the application are functioning accordingly.

1 answer

Your answer