Configure session timeout

appcmd set config /section:asp /timeout: timeSpan

The default value is 00:20:00

 

 

Managing Session TimeOut using Web.Config

Use timeout in web.config, can also use timespan--20 minutes is default, also The timeout attribute cannot be set to a value that is greater than 525,601 minutes (1 year) for the in-process and state-server modes.

<sessionState
    mode="[Off|InProc|StateServer|SQLServer|Custom]"
    timeout="number of minutes" ... />

 

If you are using ASP.NET 2.0, use have to check in the IIS.

Open the IIS, click on the Application Pools, Select the Application pool for your application.

Right Click on that, Select Properties.

In the Performance tab, Set the idle timeout as your desired minutes for "shutdown worker processes after being idle for ..... minutes".

Apart from this you have to set the timeout in web.config as said by the other friends.

 

 

<configuration>
  <system.web>
     <sessionState timeout="20"></sessionState>
  </system.web>
</configuration>

 

 

How does the session timeout work in IIS 7?

In web.config, I set timeout in the sessionState to 20 minutes. According to MSDN, this timeout specifies the number of minutes a session can be idle before it is abandoned. In IIS 7, DefaultWebSite->Session State->Cookie Settings->Time Out automatically is populated with timeout value set in web.config, which in my case is 20 minutes. Also, Application Pools->DefaultAppPool->Advanced Settings->idleTimeout, I set it to 10 minutes.

Then I made two tests: First test: I logged in my web app at 3:45pm, idling for 10 minutes. At 3:55pm, I tried to use my app, I got kicked out. I think the idleTimeout comes in play.

Second test: I logged in my web app at 4:00pm, play with the app at 4:05pm, 4:10pm, 4:15pm and 4:20pm. I expected being kicked out at 4:20pm. But I was not. I thought the session state timeout (20min) in IIS 7 is the the maximum amount of time a user session can be active before the Web Agent challenges the user to re-authenticate. Apparently from this test, it is not. Can anyone explain that to me? Also, how could I set the timeout for above case?

 

Session time-out is a sliding time-out that is reset for a user to the configured value each time they visit the server.

The Application Idle time-out kicks in if there have been no requests to your application for that period of time.

The usual scenarios is therefore:

Time  | User A       | User B       | Session States
------+--------------+--------------+-------------------------------------------
12:00 | Visits Page1 |              | A: New Session, Time-out: 20 minutes
12:02 | Visits Page2 |              | A: Time-out reset: 20 minutes
12:10 |              | Visits Page1 | A: Time-out: 12 min; B: New: 20 minutes
12:15 |              | Visits Page2 | A: Time-out: 07 min; B: Time-out: 20 min
12:22 |              |              | A: times out; B: 13 min remaining
12:32 |              |              | Application Shuts Down (Idle time reached)
12:35 | Visits Page3 |              | A: New Session Starts

If User A were to return to the site after 12:22 they would have a completely new session, and any values you've stored in there previously would be lost.

The only way to ensure that a session persists over application restarts is to configure either a SessionState service or SQL Session States, and ensure that you've configured the machine.key so that's it not AutoGenerated each time the server restarts.

If you're using the standard ASP.NET mechanisms for authentication, then ASP.NET will issue two cookies to each user:

  1. Authentication Token: Controlled by the Authentication time-out setting, allows the user to be auto logged in to your site if the cookie hasn't expired, this can be fixed or sliding, and defaults to 30 minutes, which means their authentication token can cope with a longer "idle" period than their session.
  2. Session Token: Controlled by the Session Time-out setting, allows your application to store and access per-user values during the lifetime of their visit.

Both of those cookies are encrypted using the MachineKey - so if your application recycles and generates a new key neither of those tokens can be decrypted, requiring the user to log in and create a new session.


Responding to comments:

  1. The 20 minute session time-out relates to items you've placed in the users session object (HttpSessionState) using the Session.Add(string, object) method.
  2. That depends. If you've correctly configured the machine.key, authentication tokens will still be valid, and if your sessions are no longer "InProc" these will also persist through application restarts and will still be readable - see notes above.

 

 

 

 

Xem thông tin của user cụ thể trong domain

gpresult /user manhnguyenv /v > C:\info.txt

 

How can I find out what AD groups I'm a member of?

gpresult /V

 

How can I find out which Active Directory groups I’m a member of?

gpresult /V

 

Network Service Account

https://msdn.microsoft.com/en-us/library/windows/desktop/ms684272(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/ms998320.aspx

https://www.codeproject.com/Articles/674930/Configuring-IIS-ASP-NET-and-SQL-Server

https://docs.microsoft.com/en-us/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis

https://docs.microsoft.com/en-us/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis

 

Windows 10

icacls "D:\Projects\Web\Deploy" /grant "IIS_IUSRS":(OI)(CI)F /T

icacls "D:\Projects\Web\Deploy" /grant "NT AUTHORITY\Network Service":(OI)(CI)F /T