ASP.Net MVC keep session alive for as long as possible

Question

We've an ASP.Net web app build with MVC 3. We've configured session timeout in web.config (we use forms base authentication) -

<forms loginUrl="~/Common/Login" path="/" protection="All" timeout="180" requireSSL="false" slidingExpiration="true" defaultUrl="~/Common/Login" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />

Things have been working fine but after we went live the employees started using it like a typical windows app. "Login" once and keep the web app pages open until they worked, sometimes more then a ciuple of hours. The web app has typical postback pages as well as AJAX based sections and file uploads.

Some recent debugging and review of user's activity log shows that this has caused some unexpected postback and serveir side processing.

How long would you advise to keep the session alive? We also store imp data on server side session object. Can periodic page refresh be a solution?

Answer 1

There's a difference between Forms Authentication ticket validity and ASP.NET Session validity. Those are 2 completely unrelated things. What you have shown in your question is the forms authentication ticket validity which you have set to 180 minutes with sliding expiration.

How long would you advise to keep the session alive?

Both the ASP.NET Session (if you are using any) and the forms authentication ticket timeout should be set to the same value. Whether you keep the session alive for a long time or perform periodic pings to the server to keep the session alive would be exactly the same. So you'd better set the timeout to a sufficiently high value instead of hamerring your server with periodic requests.

This being said, if you are using ASP.NET Session, and you are storing this session InProc, you should know that the web server could decide to recycle your application at any time. For example this could happen if certain CPU/memory thresholds are hit. When this happens, if you are storing the session in memory, you will loose all information, no matter how long you have set the timeout value. You should consider using an out-of-process, distributed session storage in this case.