Admin Session timeout

[cerami2]

how do i increase this to be longer than that is set to .So i can work for a longer time before loged out

thanks
joe

[compunerdy]

You should have seen my last store. I sometimes had to relog in 6 times during one session.

I believe that certain rules like visa certification or something requires the security to be set to a certain level. I could be totally wrong though.

[AbleMods]

Open the web.config file in your store folder and look for the following line:

Code: Select all

<forms timeout="90" slidingExpiration="true"/>

Change the timeout value (in minutes) as needed.

Then find, a few lines below it, this line:

Code: Select all

<sessionState mode="InProc" timeout="90"/>

Again change the timeout to suite your need. Remember this affects your site users as well as you the Admin. It can also impact traffic reports that monitor site authentication as a closed session will still be considered "logged in" until the timeout value is reached.

[cerami2]

Thank you for your help

[AbleMods]

You're welcome. As you can see, I've set mine to 90 minutes because it annoyed me severely.

You'll also want to check the Admin screen Configure/Security/Password Policy. It's set to expire your admin password pretty frequently.

What I'd like is to auto-authenticate if it detects a localhost install. It gets really old doing development testing and having to login and do the CAPTCHA every single time I test a page.

[cerami2]

How do you do this?

You'll also want to check the Admin screen Configure/Security/Password Policy. It's set to expire your admin password pretty frequently.

I think this is what i need the most I am build the site now and it logs me out to offen

[AbleMods]

They are two seperate things.

Modifying the web.config file determines the amount of time before your login to the site expires.

Modifying the password policy settings in the Configure/Security menu of the Admin screen determines how often you (and your visitors) password must change.

[cerami2]

thanks for the info
I am new to ablecommerce just moved over from storefront
http://www.insulincase.com
http://66.252.239.209

Thanks again
Joe Cerami

[NC Software]

Out of curiosity, how does this timeout pair with session timeout? You may have a 90 minute timeout for your admin side, but what if your IIS session times out, default of which is 20 minutes?

Logan?

[AbleMods]

That's what we're describing, the IIS session timeout value.

They can be set server-wide in a global web.config file or on a site-by-site basis using individual site web.config files.

You could specify different timeout values in the root web.config and the ~/Admin/web.config files. You would then have a scenario where pages in one part of the site timeout sooner/later than other parts of the site.

That would be a very non-standard implementation but it is supported so far as I know.

[NC Software]

I wouldn't touch the IIS session timeout. What you should do (Logan/AC) is have an option in the AC7 Admin to enable "keep alive" that will refresh the admin section every 15 minutes or so which prevents the session from expiring. There could be nasty side effects of extending the sessionin IIS such as memory management.

[bha]

Has the suggestion of refreshing for admin to prevent timing out been implemented in any form?

Since I am using a hosted solution with Able, I don't want to cause potential memory problems on the server by extending the IIS timeout value.

Thanks,
Bruce.

[AbleMods]

I agree with Neal that a refresh feature should be added, but until then there's only one way I know to do it and that's changing the session timeout value in the site web.config file.

I've been running it that way for months without any issues - I think you'll be fine changing it for your site.

[Logan Rhodehamel]

Out of curiosity, how does this timeout pair with session timeout? You may have a 90 minute timeout for your admin side, but what if your IIS session times out, default of which is 20 minutes?

Forms authentication is the one that matters for purposes of login/logout. It is based on a cookie, so increasing the value won't have much impact on server resources.

Session timeout is less critical. We only make use of session in rare occasions, so it is not an issue if the session expires. If the user visits the site again, the server session will be recreated. Generally we avoid the ASPNET session in favor of using our database, since it is simpler for clustering.

[NC Software]

Logan,

Is it a sliding expiration?

[AbleMods]

...since it is simpler for clustering

So THAT'S why I see so much session state work done via specialized code instead of the .Net session functions........I've been wondering that for months

[Logan Rhodehamel]

Is it a sliding expiration?

By default - this is a standard ASPNET / web.config setting that you can turn on or off.

[Logan Rhodehamel]

So THAT'S why I see so much session state work done via specialized code

This time around we've made the "session" code more aligned with the .NET framework. Instead of implementing custom sessions, we created an implementation of a .NET Membership Provider. So while our implementation is custom, the standard framework APIs are used.