[thelist] ASP - Session Variables set to never ever ever ever ever ever expire

[Ken Schaefer]

: -----Original Message-----
: From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On
: Behalf Of Rob Smith
: Subject: [thelist] ASP - Session Variables set to never ever ever ever ever
ever
: expire
: 
: I know I've talked to you about this ongoing for about a year now and no
: matter what I do, I cannot keep session variables from dieing on IIS 5.
They
: always expire after about 20 minutes. I have done:
: 
: * Response.Expires = -5000
: * session.timeout=90     ' still expires in 20 minutes
: * Gone to the server and set the expiration on variables to 1440 minutes /
: 24 hours.
: 
: What else can I do so that ASP session variables never ever ever ever ever
: ever expire (within a reasonable time frame or as long as the clients
: browser is open).
: 
: Rob Smith
: 
: p.s. grumbling, I'd not have this problem if I had a UNIX server.


I was going to write something harsh here about you taking on-board
suggestions that others have made in response to previous posts from you to
the list, but I'll bite my tongue.

In order to try and be a little constructive, what steps have you taken to
verify that the client is indeed being issued a new SessionID?

(Response.Expires should have no effect on Session expiration. The second
thing you have done should set the session timeout to 90 minutes, and would
override whatever you have set in your third point - setting the session
expiration via the IIS Manager).

My question though would be what you have inside these session variables in
the first place, that can't easily be regenerated? 

Additionally, very long session timeouts do present a security risk, why do
people need to remain in the same session for 24 hours or more?

Cheers
Ken