[ACCEPTED]-ASP.NET Session Timeout Testing-timeout

Accepted answer
Score: 73

Decrease the timeout

The easiest and most non-intrusive way to 58 test this is probably to just decrease the 57 timeout to a fairly small number, such as 56 3 or 5 minutes. This way you can pause for 55 a few minutes to simulate a longer pause 54 without worrying about application restarts 53 or special reset code having any affect 52 on your test results.

You can modify the 51 session state timeout in a few locations 50 - globally (in the web.config located in 49 the config folder for the applicable .NET 48 framework version), or just for your application.

To 47 modify the timeout just for your application, you 46 can add the following to your application's 45 web.config:

    <sessionState timeout="60" /> 

Alternatively, you can also modify 44 this same setting for your application through 43 an IIS configuration dialog (I believe you 42 still need to have a web.config defined 41 for your application though, otherwise Edit 40 Configuration will be disabled).

To access 39 this, right-click on your web application 38 in IIS, and navigate to Properties | ASP.NET 37 tab | Edit Configuration | State Management 36 tab | Session timeout (minutes).

Note that 35 you can also manipulate this setting through 34 code - if this is already being done, than 33 the setting in the web.config file will 32 effectively be ignored and you will need 31 to use another technique.

Call Session.Abandon()

A slightly more 30 intrusive technique than setting a low timeout 29 would be to call Session.Abandon(). Be sure 28 to call this from a page separate from your 27 application though, as the session isn't 26 actually ended until all script commands 25 on the current page are processed.

My understanding 24 is that this would be a fairly clean way 23 to test session timeouts without actually 22 waiting for them.

Force an application restart

In a default configuration 21 of session state, you can simulate a session 20 timeout by blowing away the sessions entirely 19 by causing the application to restart. This 18 can be done several ways, a few of which 17 are listed below:

  • Recycle the app pool through
    • the IIS MMC snap-in
    • the command-line (iisapp /a AppPoolID /r)
    • modifying web.config, global.asax, or a dll in the bin directory
  • Restart IIS through
    • the IIS MMC snap-in
    • services.msc and restarting the IIS Admin service
    • the command-line (iisreset)

When I mention "default 16 configuration", I mean a web application 15 that is configured to use "InProc" session 14 state mode. There are others modes that 13 can actually maintain session state even 12 if the web application is restarted (StateServer, SQLServer, Custom).

Tamper with the state tracking mechanism

Assuming 11 your web application isn't configured with 10 a "cookie-less" mode (by default, cookies 9 will be used), you could remove the cookie 8 containing the session ID from the client 7 browser.

However, my understanding is that 6 this isn't really simulating a time-out, as 5 the server will still be aware of the session, it 4 just won't see anyone using it. The request 3 without a session ID will simply be treated 2 as an unseen request in need of a new session, which 1 may or may not be what you want to test.

Score: 9

Add a page to the site and call Session.Abandon()


Score: 5

The easiest way would be to open the page 8 in two different tab and logout at other 7 tab would automatically expire session in 6 first tab. Most of the browsers share session 5 across the tab. So i find it very easy without 4 modifying anything in web.config. This way 3 you could test even if a particular feature 2 is not handling redirect to login when session 1 expires.

Score: 4

Bounce the AppPool and session will be lost.

if 4 you don't have direct IIS access, you can 3 open and save Web.Config to do the same 2 thing (Don't use notepad, it screws up the 1 encoding).

Score: 3

Make a shorter timeout.


Score: 3

You can change the timeout in your webconfig

 <authentication mode="Forms">
      <forms timeout="10" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies"/>


Score: 2

If you are storing your session information 2 in a cookie, you could try deleting your 1 cookies.

Score: 1

Recycle the app pool on the server.


Score: 0

You have two options:-

1- Decrease the session 2 timeout in web.config. 2- Restart IIS or 1 Application pool.

Score: 0

I usually use the ASP .NET session state 6 server. Apart from other benefits during 5 development, I can simply restart the ASP 4 .NET state service to abandon the session. If 3 you're using the state server, simply run 2 services.msc and restart the "ASP .NET State 1 Service".

More Related questions