Boss had me look into how we can keep sessions alive (IIS server/client)
without having to “stay-alive-ping” the server (in our website asp.net code)
from client browsers. The main consideration is that a user must reenter
their CAC pin when the ping occurs and if the user is away from his/her
machine during the ping request the ping will not complete and return a 403
status because the client certificate will become invalid. If a user was in
the middle of a long form or taking a training course, all data would be
lost. This is bad.
I have done some research and have found out the following:
We can extend the session out by extended the session timeout on the server.
This requires the following 3 settings:
Set Session Timeout for website:
IIS --> [website] --> Properties --> Directory Tab --> Configuration Button -->
Options Tab --> Session timout (currently 120 minutes for most sites, default
IIS value: 20)
Set ASP.NET Authentication Cookie Timout:
IIS --> [website] --> Properties --> ASP.NET Tab --> Edit Configuration Button -->
Authentication Tab --> Cookie timeout (currently 120 minutes for most sites,
default asp.net value: 30)
Set Idle timeout in App Pool:
IIS --> [app pool] --> Properties --> Performance Tab --> Idle Timeout (currently 20
for most sites, default IIS value: 20)
The botton line is that the session will timeout at the lowest of these
three settings… Which is 20 minutes in the App Pool objects. Currently we
are doing asp.net “stay-alive-ping” at some interval less than 20 minutes
from our pages to extend this limit indefinitely. If we were to change
our app pool to 120 minutes (matching the other two settings), we could then
extend the “stay alive pinging” to say… 115 minutes. Thus the CAC Pins
would only be requested when a user post/get occurs (and the cac software
requires a revalidation) or at the 115 minutes since the last user post/get,
which ever comes first.
Hope all this makes sense.