I need to give my ASP.NET website users a way to control their session timeout.
I am using FormsAuthenticationTicket and cookies.
I want to give the users a way to specify how long the session will stay active. The range can vary between a few minutes to 1 day or even more.
I’m using idleTimeout (I asked a question here).
Also, I save the value entered by the user in the database and using that value I initialize the FormsAuthenticationTicket.
I have 2 more concerns: Application Pool and cookie. My website runs under a dedicated App Pool. Do I need to change the idleTimeout property for App Pool, too? Not programmatically, of course.
Anyway, to phrase my question: what other settings need to be done in order to have the session expiration dynamically set and working no matter what time interval?
Thanks.
EDIT: I am using IIS7 on a Windows Server 2008 machine.
it is never a good idea have a session time out too long as you will keep busy some resource on the server and if your web app is accessed by lots of different user it could affect the server performance.
Anyway you can just change the session time out programmatically using the below code
bear in mind that session timeout should be less than Application pool idle timeout, so if you increase session timeout, you have to increase application idle timeout too. Otherwise, application will get recycled. If application is recycled, sessions will expire automatically.
The minimum allowed value is 1 minute and the maximum is 1440 minutes.