Setting session timeout

The default session timeout in Litium is 20 minutes, that’s how long a user is kept logged-in if there is no activity.

What’s the recommended way to extend this timeout?

Litium version: 6

You extend it in web.config.
https://docs.litium.com/documentation/get-started/web_config

The documentation is to me a bit unclear. The only mention is this:

“enableSessionTimeoutsInGui* : Standard IIS settings allow a user to be inactive for 20 minutes before the session times out. Set this to false if you don’t want to be logged out even if you are inactive for more than 20 minutes.”

So setting this to false would extend it beyond 20 minutes. But HOW long would it be extended? Our customer would like to set it to 12 hours.

In your web.config.

</sessionState mode=“InProc” stateConnectionString=“tcpip=127.0.0.1:42424” timeout=“Amount-Of-Minuts”/>

Remove the slash in the beginning.

2 Likes

Great. Issue solved, thanks Steve :slight_smile:

1 Like

Setting the session to 12 hour can cause the server to get out of memory that will prohibit new visitors.

Each visitor to the site and keeping a little part in the memory or external session store very long time.

Visitor in this case is not only physical person but also crawlers that will indexing the site. If the visitor not storing the session cookie between the requests then a new session will be created for every requests and that will add little memory usage.

The setting enableSessionTimeoutsInGui is a setting that only will affect the areas that not is updated to the new API (Websites and Sales) and will create requests to the server on a regular interval to keep the session active until the browser is closed.

Thanks for the input Patric :+1: So my conclusion based on this is that is maybe not a great idea to have such a long session timeout. Any recommendations on what might be a reasonable time. 1h, 2h?

It’s hard to say that it not will work either, it depend on the traffic they have to the site and is something that you need to try out to find the optimal timeout for that customer based on their expectation and memory usage on the server.

Maybe if you share your problem, eveyrone can have better solution. Why do you need such long session? Is it for visitors in the store front or for users in the backoffice?

Hey Ton :slight_smile:

It’s not really a problem, our client think it wold be a better user experience for the end-user, if they are kept logged-in for a longer time than 20 minutes.

However, after doing our own research on this topic, the general guideline is to not keep the session open longer than 30 minutes. For example, Open Web Application Security Project
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Introduction
"Common idle timeouts ranges are 2-5 minutes for high-value applications and 15- 30 minutes for low risk applications.”

So, due to the security aspect and the server memory aspect Patric brought out, we have recommended our client to set the session timeout to 30 minutes.

3 Likes

Great set the query to resolved with related answer please :slight_smile: