question

StuartLittle-1685 avatar image
0 Votes"
StuartLittle-1685 asked PhilGeorge-9618 commented

Increasing session timeout in asp.net core web app

Hi,

I would like to increase the session timeout from 20 minutes to 4 hours.

To achieve this, in the ConfigureService of startup.cs, I have the following code

 services.AddAuthentication("SampleAuth")
                 .AddCookie("SampleAuth", config =>
                 {
                     config.Cookie.Name = "Sample.Cookie";
                     config.LoginPath = "/Login/Index";
                     config.AccessDeniedPath = "/Login/Unauthorized";
                     config.ExpireTimeSpan = TimeSpan.FromMinutes(240);
                     config.SlidingExpiration = true;
                 });
    
    
 services.AddSession(options => { options.IdleTimeout = TimeSpan.FromMinutes(240); });

In Configure method, I have app.UseSession();

Also, in the IIS, I have increased the session timeout to 4 hours.

However, the session still timeout after 20 mins.

Can you please let me know what else I am missing?

Thank you.


dotnet-aspnet-core-generaldotnet-aspnet-core-auth
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Maybe you should also set the value of options.Cookie.Expiration?


0 Votes 0 ·
Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered Bruce-SqlWork commented

session is unrelated to the authentication cookie. session uses its own cookie with an expiration time. most likely your server is going idle and being recycled, thus changing the encryption keys, making both cookies invalid.

either use a persistent key storage provider, or disable idle shutdown.

https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-6.0

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your reply. Is this something new with .net core? I dont know if disabling idle time was required in pre .net core era. Increasing session state in IIS was all that was required.

0 Votes 0 ·
Bruce-SqlWork avatar image Bruce-SqlWork StuartLittle-1685 ·

the same issue with classic asp.net, but you could define machine key values in the web.config, so it worked like a persistent key store.

0 Votes 0 ·
surferonwww avatar image
0 Votes"
surferonwww answered PhilGeorge-9618 commented

Can the following Microsoft document help?

Session and state management in ASP.NET Core
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-6.0

As for the "Increasing session timeout" see the following section:

Configure session state
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-6.0#configure-session-state

I would like to increase the session timeout from 20 minutes to 4 hours.

Try to set: options.IdleTimeout = TimeSpan.FromHours(4);

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @surferonwww,

If this is running on IIS will this override the IIS 20 minute default idle-timeout and thus continue to be valid up to 4 hours, or will IIS still recycle the pool and thus change the encryption keys as mentioned by @Bruce-SqlWork?

See also the answer by @BrandoZhang-MSFT

Thanks

0 Votes 0 ·
BrandoZhang-MSFT avatar image
1 Vote"
BrandoZhang-MSFT answered

Hi @StuartLittle-1685,


By default, the session's data is stored inside the server memory and the IIS contains the idle-timeout. The idle-timeout default value is 20 minutes. If there is no request send to the server during 20 minutes. The IIS will terminate the application pool's worker process. If you don't want to use other storage like redis or storage to store the session data, I suggest you could modify the idle tomeout to 0.

More details about how the session state works inside the IIS, I suggest you could refer to this article.



196883-image.png



image.png (25.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.