.NET Core 3.1 web Session Timeout

Question

I'm hosting a C# website (.NET Core 3.1) with IIS. I've set the IIS Application Pool's "Idle Time-out (minutes)" to 150. I've restarted the website and recycled the application pool.

Authentication is done with Microsoft.AspNetCore.Identity.SignInManager.

User's log in, but their login session is automatically expired under 45 minutes of inactivity. I don't know at what point they are logged out precisely yet (my guess is 20 minutes).

As the IIS session logout is 150 minutes, why are the users logged out in less than 45 minutes?

Is there a way to make their session last a minimal of 150 minutes using IIS, appsettings.json, or web.config?

I think I can do this in code:

services.AddSession(options =>
{
    options.IdleTimeout = TimeSpan.FromHours(3);
});

... and possibly read that value from aspsettings.json, but I don't want to hard-code the value as it might change from environment to environment.

Answer 1

I found the issue. In Starup.cs this was found:

services.ConfigureApplicationCookie(options =>
{
    options.LoginPath = "/Account/Login";
    options.LogoutPath = "/Account/Logout";
    options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
});

For my sanity I changed it to:

int timeoutInMinutes = 30;
try
{
    timeoutInMinutes = Int32.Parse(Configuration.GetSection("AppSettings:SessionTimeoutInMinutes").Value);
}
catch (Exception) { } // do nothing

services.ConfigureApplicationCookie(options =>
{
    options.LoginPath = "/Account/Login";
    options.LogoutPath = "/Account/Logout";
    options.ExpireTimeSpan = TimeSpan.FromMinutes(timeoutInMinutes);
});

With this change in place, the logged in session now expires in 30 minutes if not changed in appsettings.json, else it uses the value I specify in appsettings.json.