Increasing session timeout in asp.net core web app

Stuart Little 21 Reputation points
2022-04-26T16:38:17.34+00:00

Hi,

I would like to increase the session timeout from 20 minutes to 4 hours.

To achieve this, in the ConfigureService of startup.cs, I have the following code

services.AddAuthentication("SampleAuth")
                .AddCookie("SampleAuth", config =>
                {
                    config.Cookie.Name = "Sample.Cookie";
                    config.LoginPath = "/Login/Index";
                    config.AccessDeniedPath = "/Login/Unauthorized";
                    config.ExpireTimeSpan = TimeSpan.FromMinutes(240);
                    config.SlidingExpiration = true;
                });


services.AddSession(options => { options.IdleTimeout = TimeSpan.FromMinutes(240); });

In Configure method, I have app.UseSession();

Also, in the IIS, I have increased the session timeout to 4 hours.

However, the session still timeout after 20 mins.

Can you please let me know what else I am missing?

Thank you.

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,361 questions
{count} votes

Accepted answer
  1. Bruce (SqlWork.com) 60,866 Reputation points
    2022-04-26T17:40:58.387+00:00

    session is unrelated to the authentication cookie. session uses its own cookie with an expiration time. most likely your server is going idle and being recycled, thus changing the encryption keys, making both cookies invalid.

    either use a persistent key storage provider, or disable idle shutdown.

    https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-6.0


2 additional answers

Sort by: Most helpful
  1. Brando Zhang-MSFT 3,441 Reputation points Microsoft Vendor
    2022-04-27T07:48:56.497+00:00

    Hi @Stuart Little ,

    By default, the session's data is stored inside the server memory and the IIS contains the idle-timeout. The idle-timeout default value is 20 minutes. If there is no request send to the server during 20 minutes. The IIS will terminate the application pool's worker process. If you don't want to use other storage like redis or storage to store the session data, I suggest you could modify the idle tomeout to 0.

    More details about how the session state works inside the IIS, I suggest you could refer to this article.

    196883-image.png

    1 person found this answer helpful.
    0 comments No comments

  2. SurferOnWww 2,406 Reputation points
    2022-04-27T04:22:15.84+00:00

    Can the following Microsoft document help?

    Session and state management in ASP.NET Core
    https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-6.0

    As for the "Increasing session timeout" see the following section:

    Configure session state
    https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-6.0#configure-session-state

    I would like to increase the session timeout from 20 minutes to 4 hours.

    Try to set: options.IdleTimeout = TimeSpan.FromHours(4);