Write For Us

How To Change ASP.NET Session Timeout

To preserve web server's resources, session expires after certain time of inactivity. Inactivity is considered as time between two consecutive requests from same visitor. By default, ASP.NET session will expire after 20 minutes if visitor doesn't visit any new page. If visitor makes new request, session timer is restarted. But, if there are no new requests, ASP.NET will suppose that visitor is leaved website. When this happens, all session data related to that visitor are deleted from server's memory.


This could cause very annoying situation for visitor. For example, if your visitor fills complex order form or long survey, and then goes to coffee break to rest or lunch and returns back later eager to continue big task.

During that time, if period of inactivity was longer than 20 minutes session will expire. Depending of code logic, application will redirect user to some "session expired" page or display "Object reference not set" error message in case that developer didn't check for null values. In any case, all previous work will be lost and visitor have to start again from the beginning.

How to change session timeout

You can change session timeout value in web.config. For example, if desired session timeout is 60 minutes, markup code in web.config should look like this:

<sessionState timeout="60" />

SessionState element is located under <system.web> namespace.

Change ASP.NET session timeout programmatically

Also, you can change session timeout from code. For example, to decrease session time to 10 minutes, use:

Session.Timeout = 10;

How to change session timeout

One more way to change session timeout is using Internet Information Services (IIS) Manager. Open Control Panel -> Administrative Tools -> IIS Manager -> Select desired web site -> in ASP.NET section on right side open Session State -> and finally, in text box named "Time-out (in minutes)" on the bottom of the form, change default value. This is method if you use IIS 7, but it is similar for earlier versions too. On IIS 6, right click on selected website -> choose Properties -> in pop up dialog select ASP.NET tab -> and change timeout value.

Why increasing of session timeout maybe not works

In some cases, when you increase session timeout, then run web application, session will still expire. There could be few possible reasons for this.

Notice that session timeout should be less than Application pool idle timeout, so if you increase session timeout, you have to increase application idle timeout too. Otherwise, application will get recycled. If application is recycled, sessions will expire automatically.

Also, if you use Forms Authentication, you'll probably need to increase forms timeout too, using markup code in web.config like this:

      <authentication mode="Forms">
        <forms timeout="60"/>



Be aware that increasing session timeout too much, although is possible, almost always is not good idea. For example, if website has high traffic with thousands of visitors online, keeping all that sessions for a long time could cause scalability problems and decrease website performances. In addition to that, you don't need all sessions anyway, because most of expired sessions represent users who leaved website.

ASP.NET, as server side technology, only knows time of last request and compares that time with current server time. Since HTTP is stateless protocol, ASP.NET doesn't know if visitor is leaved website or is just doing nothing while page is still displayed in browser.

It would be more scalable to separate these two kinds of visitors and keep only sessions of visitors who are not leaved website. We can accomplish this by making periodical artificial requests.

Instead of increasing session timeout, which is not scalable option, we can keep sessions alive using JavaScript, jQuery, Meta Refresh or ASP.NET Ajax. More about these methods you can read in How To Keep ASP.NET Session Alive tutorial.

Tutorial toolbar:  Tell A Friend  |  Add to favorites  |  Feedback  |