I have an ASP.NET 2.0 web site hosted on Windows Server 2008 with IIS 7. I am using InProc session mode (specified in web.config). My client wants the timeout to be of 3 hours, meaning if the web site is idle, session should remain alive for 3 hours. Currently, what is happening is that if the web site is idle for 20-30 min. and if the user to tries to access any link, it redirects to login page.

I searched on internet and did all the possible settings (as follows):

1. In web config, session state, time out = 180 minutes.

2. In web config, forms authentication, time out = 180 minutes.

3. In IIS 7, Site->Features View->Session state - Session State Mode Setting: In Proc and Cookie Setting->Time out = 180 minutes

4. In IIs 7, Site->Features View->ASP->Services->Session Properties->Time out = 03:00:00 hours

5. In IIS 7, Application Pools->Site->Advanced Setting->Process Model->Idle Time-out = 180 minutes.

Even after doing all these settings, timeout has not increased and still if the web site is idle for 20-30 mins. and user tries to access the link, it redirects to login page.

Additional Information: Whenever it redirects to login page after idle of 20-30 mins., and if I check the event log on server, it says something like (I am not sure whether this error is related to this particular issue or not): "Forms authentication failed for request. Reason: The ticket supplied has expired"

How does your code issue the authentication ticket once users log in? The documentation says that the expiration attribute will overwrite whatever you set in the web.config - that might be the issue.

If the ticket is generated manually by using the FormsAuthenticationTicket class, the time-out can be set through the Expiration attribute. This value will override the timeout attribute value specified in configuration files.