Tutorials » AspNet tutorials »

Establishing and expiring sessions

This article explains when a session is established and expired.

When is a session established ?

A new session is established when a page is requested first time from a website. When you typed the URL http://www.aspspider.com, a new session is established for you in our web server. The same session is re used every time you hit another page.

If you open another browser and type the URL again, it is another session. In that case, two sessions will exists for you at the same time independently.

When and how the session expires ?

A session expires in the web server, if the browser does not request a page from the server for a 'specific' period of time. This period is configurable and each web server can have it's own session timeout.

The default session time out in ASP.NET is 20 minutes. This means, if you take more than 20 minutes to read a page and click another link, then your session is already expired.

But you may never notice that your session is expired. If you hit a page after the session is expired, the web server will treat this as a brand new request and establish a new session for you. There may not be any visible change for you, in most cases.

But if you are logged in into a web site, most of the sites store your user information in session. If you sit idle for long time, your session may expire and the server will lose all your information from the session. When you hit the site again, it will establish a new session. This is why you are automatically logged out from many sites, if you sit idle for some time.

Usually, I take more than 20 minutes to type one chapter in this tutorials. By the time I type this chapter and press 'Submit', my session will expire and I will get an error saying 'You cannot submit a tutorial. You have not logged In". So, now a days, I will type everything in notepad and then copy paste many chapters to this site in one shot.

A session lives for this duration (20 minutes by default) even if you close the browser. The reason is, if you close the browser or shutdown your browsing computer, the server will never know it. It will still remember your session and wait for another request from you until it times out.

The only way a session can be lost before the timeout period is, restarting the IIS in the web server. If the IIS is restarted, all the sessions will be lost and all requests coming up after that will be treated as new requests.

How many session IIS can have?

There are some practical limits, but for each user accessing the site, there will be a separate session. If 5000 visitors are accessing this site at a time, we will have 5000 active sessions in our web server.

How to change session time out in ASP.NET ?

The session timeout can be changed in web.config. Open your web.config file and you may see an entry like this:

sqlConnectionString="data source=;Trusted_Connection=yes"

The line timeout="20" represents the timeout value in minutes. You can change this value to any value you want.

If you reduce timeout to a small number, the sessions will timeout faster and your users may experience automatic logout if they take few minutes to read a page.

If you increase this number to a very big number, your server will remember each session for this long duration of time, even if the user close the browser and go home! This will be an overload for the server consuming lot of memory. For heavy traffic web servers, there will be some limitaion on the total sessions it can handle.

Next Chapter: The ASP.NET Session Object
Previous Chapter: Introduction to Session handling
More Chapters: ASP.NET Tutorials
More Tutorials: Tutorial Index

Top Contributors
TodayLast 7 Daysmore...

Awards & Gifts

Online Members

Copyright © SpiderWorks Technologies Pvt Ltd., Kochi, India