IIS default time-outs

Question

I am aware that the following steps allow me to configure the timeout values in IIS however what are the differences between them. Also are the ASP.NET Session State and CookieTimeout values in the web.config file by default as I don't see them in the Configuration Editor. If so what change do I need to make to the web.config file and how does it affect the other timeout changes?

Steps

1. Session Time Out is 20 minutes by default. The value is affected in a number of settings including Application Pool, ASP, ASP.NET Session State, CookieTimeout.
2. Open IIS Manager
3. Application Pool -> Advanced Settings -> Process Model -> Set Idle Time-out in minutes
4. Sites -> your-website-domain.com -> ASP -> Session Properties -> Time-out then Apply Change
5. Sites -> your-website-domain.com -> Configuration Editor -> system.web/sessionState -> Set Timeout value then Apply Change
6. Sites -> your-website-domain.com -> Configuration Editor -> system.web/roleManager => Set cookieTimeout then Apply Change

Answer 1

When the application pool timeout expires, the application pool is recycled. If you're using the default InProc session store, all sessions are lost when the timeout expires. In general, the timeout is reset every time someone requests a page from the application.

The Session State timeout is the expiration of the session in the session store. When this timeout expires, the session information is removed from the session store and Session_End is called. Refer to the documentation for the element, which can be found here.

The Cookie Timeout that you mention is the expiration for the cookie used by role manager to cache the user's roles in a cookie. The attribute cacheRolesInCookie also has to be set to true for this to have an effect-the default is false. Refer to the documentation here.

I don't believe session state or cookie timeout are included in the configuration file by default, but it depends on what generated the configuration file. If you're looking to have sessions stay open longer, you should only have to set system.web/sessionState so as long as your site has enough traffic to keep the app pool from recycling (one page hit every 20 minutes). Since there are other reasons for the app pool recycling, using one of the other storage mechanisms other than InProc may be a good idea. If you're using one of the authentication providers, it may have an additional timeout. I know that forms authentication has a timeout that you would want to also set.