I’m working on a web application that currently uses a Session to hold the userid and privileges. This is causing a problem for me because the client ip address changes normally every 5 minutes, sometimes faster, so the sessions are lost.
My current work around is to encrypt a string the will auto-login when the session dies, but it still causes issues because forms will not be submitted if the auto-login process has to be run.
I can post some code, but I feel that I’m way off base with my current method of attack. Can I please get some suggestions?
Thank you!
The webapp is for about 10 users and if possible, I’d like it to never timeout so that if they are looking at a page for 4 days and come back to it, they can press submit and it submits.
I’m not sure why you’re losing session after 5 minutes, or why it appears to be correlated with client IP address changes (is this an intranet app? Does something else happen on 5 minute intervals?).
The following
web.configsetting should create sessions that last for 6 months, and will survive application pool recycles:Of course, you’ll have to have the state server running on your machine, and everything stored in the session will need to be serializable.
As Jarrett points out, it’s rather odd to want to keep sessions alive for so long with no activity, and I wouldn’t recommend it if there was going to be a significant number of users, but if it really is 10 and only 10 users, it’s probably okay.