Granted this isn’t your everyday problem / requirement, and I’m sure few of us can remember the last time a user called the helpdesk requesting the ASP.net session cookie timeout was increased. However we recently had to do just that in order to prevent users getting logged out of the Filestream document management system web module.
Having to keep re-logging in was time consuming and irritating for the users, many of whom were on slow 2g or 3G connections and, as such, needed to make the most of their bandwidth and time. The web module is an ASP application, and the server keeps track of the user session by issuing an ASP session cookie to the client, which contains a unique ID mapped to a session on the server. Armed with this knowledge, the relevant time-out settings shouldn’t be too hard to find…
You can set the default session cookie timeout in IIS 7.0 from the features page > ASP.NET > Session State > Cookie Settings. We therefore stuck 120 minutes in the box, clicked OK, ran IISRESET and away we go? Not quite! – After doing this, unfortunately the session still timed out at the default 20 minutes. It turns out that the idle timeout also needs to be configured on the AppPool that the web service is using, otherwise the session data will be lost anyway when the worker process exits. Right-click on the website your app uses > Manage Application > Advanced Settings > note which application pool it is using.
Click OK on here, exit IIS manager and run another IISRESET and this time we are good to go. Now users can work in the web app, do something else, come back and carry on working without having to re-login.