Geek Answers Handbook

Are there any drawbacks or limitations to setting the maximum session timeout?

In asp.net, the default session time is 20 minutes. Suppose if I change the session timeout period to 2 hours or more, will this lead to any server-side performance issue?

I would like to know if there are any limitations or disadvantages of using max session time in asp.net?

Please help me out of this problem?

+4
source share
4 answers

Sessions are maintained on the server for each user . Increasing session time will not allow the server to free up memory allocated for an inactive session.

I would like to know if there are any limitations or disadvantages using max session time in asp.net?

HttpSessionState.Timeout Property

The Timeout property cannot be set to a value exceeding 525,600 minutes (1 year). The default value is 20 minutes.

Inconvenience: You will have performance problems if you have a large number of users and with an increase in the session timeout, your inactive sessions will remain in the memory of the web server, which can lead to the processing of the application pool, which will lead to the loss of all sessions for all users.

+5
source

If you use IIS6 or higher, depending on the settings of your application pool, this may affect how often the w3wp process is processed. When the application pool is redesigned, your sessions will be lost if you do not use session state control outside the process or sql as the session state host.

If you increase the waiting time to two hours, individual users will not often lose the session, but this increases the likelihood that all users viewing the site will sometimes log out when the process is redesigned.

+1
source

An increase in session time means that a webpage that is left idle is less likely to log out (for example, if a user leaves for lunch while leaving the webpage open). However, this takes up more server resources, because, according to Habib, the server must store user information during this time.

This may be a security risk. If the user closes the webpage, but does not exit, it enlarges the window for CSRF attack.

It’s best to understand how your users use the web page. If the pages should be stored for a long time, look at the periodic callback or refresh the page. Alternatively, if the site is security sensitive, consider automatically registering the user after a period of inactivity.

+1
source

Keep in mind that if you try to increase the timeout value in a shared hosting environment , you will fail, because they block you from doing this by setting this value in the machine.config , and the hat has a precedent, you will need to use SQL Session , and you You can change this waiting time as you please.

They also usually restart AppPool every time to unlock any malicious or bad code that may block other websites, and every time you restart AppPool all your sessions go here (not if you use SQL sessions instead, of course) ..

On the other hand, if your hosted web application is on its own , in addition to the size in memory (remember that Im assumed that you are talking user sessions and as the name says, for each user, for each application you will use Application Sessions). If you think that this is an increase in memory, nothing, even performance, will not decrease.

0
source

More articles:


All Articles