Understanding ASP.Net session life time

Question

I am confused about ASP or ASP.Net session life time (or life cycle) concepts. More specifically, my confusions are:

1. How does IIS decide when a new session sta

Answer 1

Session is generally handled by generating a unique identifier as a cookie on the clients machine. This is usually a session cookie, so you can't easily get to it. When you visit a site that uses sessions, it looks for this cookie. If it doesn't find it, it creates a new one, thus creating a new session.

One way to set the expire time is in the web.config, you can also set it in IIS by going to your website properties -> Home directory tab ->Configuration button -> Options Tab -> Session Timeout.

You will not be able to access someone elses session data.

Answer 2

1. Session starts because the request does not contain a session cookie or the session cookie it does contain no longer maps to a session. A session ends by a) it has sat idle with no further requests referencing it for the timeout period. b) Its deliberately aborted by code. c) In-process session dies when the process does, e.g. when the app is recycled.

2. Different ways to change the timeout are basically modifing the web.config anyway or a config file from which the value is inherited.

3. Not unless the session object is deliberately placed by code somewhere that another session can access it.

Answer 3

Don't forget the AppPool settings too...by default (IIS 6 anyway) it will recycle every 120 minutes. So it's possible that someone could lose their session in less than the set Session_Timeout value.

Answer 4

You can set session timeout programatically with:

Session.Timeout = 60;