ASP.NET Session Timeout Research & Resolution With a Shared Windows Server

This in-depth analysis helps you know the problem and workaround when you experienced ASP.NET session timeout issue with a shared Windows server, which is not reproduced locally.

Simply the session configuration looks like below, following the instruction of web.config at MSDN.

<configuration>
  <system.web>
    <sessionState mode="InProc" cookieless="true" timeout="30" />
  </system.web>
</configuration>

The timeout is in minute, defaults to 20 minutes and is allowed to 1 year at maximum. However, you may have log-on expired much shorter than this setting when you host the site with a shared Windows server. In this case, it’s highly possible a limitation set by your provider at IIS administration level, which is out of your control. The reasons include,

  • the small Idle Timeout limitation of the application pool
  • the small Private Memory Limit (KB) of the application pool

You can see the settings at the Advanced Settings Dialog of an application pool on your local IIS, as the following screenshot,

ASP.NET Session Timeout - IIS Application Pool Setting

Caused by Small Idle Timeout Limitation

To sell more accounts by keeping a shared server less-used, almost all the web hosts set the Idle Time-out with your application pool. This setting means, when there is no visit to your website in a specified minutes, the worker process of your site will be recycled automatically. If you use session state mode InProc, the session data stored in memory will be lost with the recycle.

For an example. If you set 60 minutes to Session Timeout in web.config, but the web host sets 15 minutes to your application pool, you may have the issue of session-time in 15 minutes but not 60 minutes as you expected.

Caused by Small Private Memory Limit (KB)

If you store large-sized data in session, the timeout may be caused by exceeding the Private Memory Limit. This settings allows you to use the maximum number of memory, otherwise, the worker process of your site will be restarted. When you have both session timeout and occasional service unavailable 503 error, this is the high-possible reason.

ASP.NET Session Timeout Resolution

Typically, there are 3 major modes – InProc, StateServer and SQLServer, as advised at this MSDN page.

<sessionState mode="[Off|InProc|StateServer|SQLServer|Custom]"
    <providers>...</providers>
</sessionState>

Nearly no web host provides StateServer, because they cannot control the memory usage of a single site among hundreds even thousands of sites in a shared server in this way. The SQLServer is the best choice when you’re using a shared server, actually, but you have to note that the objects stored in session using SQLServer mode must be serializable.

MSDN suggest developers utilize aspnet_regsql.exe to install the session state database, but it’s impossible for shared hosting users. In this case, the following steps may help you.

Create SessionState DB

It’s better to create a separated SessionState DB using this sql script, if you’re allowed to have multiple databases on 1 account. Alternatively, you can also import the sql script into your existing database.

The script is generated by me from a SessionState DB installed using aspnet_regsql.exe, including 2 data tables with optimized indexes, store procedures, etc.

Update web.config SessionState Section

Update the sessionState section of your web.config

<configuration>
  <system.web>
    <sessionState mode="SQLServer" sqlConnectionString="{connection string}" timeout="60" />
  </system.web>
</configuration>

Recommended ASP.NET Hosting

Some bad web hosts set too many restricts to their servers, which lead a lot of unknown exceptions cannot be reproduced locally. Based on my experience on both .NET development and hosting, I recommend you going with the following options. They’re all fully tested by me. Take Host4ASP.NET as an example. The Advance plan includes 512 MB and allows 30 minutes of Idle Time-out – sufficient to almost small and medium sized ASP.NET websites.