Short Description: the IIS Server Variable "HTTP_COOKIE" is expiring in at a time that doesn't seem to be controlled by any timeout variable and I'd like to know what is causing it. I've tried modifying all of the timeout/expiry controlling values I can see within IIS and nothing is changing it from roughly 20-30 mins.
Detail:
We have an application with a C++ back-end which uses the IIS Server Variable "HTTP_COOKIE" to store state data, most importantly the session ID (GUID, for the rest of the question) of the current session for that user. There is a requirement that any user can only be logged in once, and the GUID is one of the pieces of data used to enforce this - every time the user logs on, the GUID is refreshed. Every time a user completes an action, the GUID stored locally in the tab sessionStorage (i.e., that value that it has when the user first logged in on that tab) is checked against the GUID that was most recently created for that user. If they don't match, the user is kicked off the application on that tab.
Now, the problem is that there are two situations where the GUID will be refreshed: when a user logs in, and when the application fails to find an existing GUID within its memory or the HTTP_COOKIE string. Case 1 is fine - that's what we want. Case 2 is annoying, because there appears to be something in the IIS setup that is causing the HTTP_COOKIE to be cleared after 20-30 minutes (I haven't pinned down exactly how long it is). We had a look, and we've found a lot of timeouts that could be causing this, but modifying each in turn to 1 minute, resetting IIS and trying again made no difference to the timeout:
The only one that Did make a difference was:
But this was because it was kicking in before the other timeout and resetting everything, rather than that it was what was causing the one we want to remove. Within our system this timeout is normally disabled (set to 0 minutes, as per MSDN guidelines).
I've trawled through everything I can think of - it's definitely an IIS issue as the server-side code is performing exactly the same task whether it expires or not, the only difference is that the HTTP_COOKIE string is gone after the above idle time, so it generates a new GUID as it can't find the existing one. There are no errors in the event log implying that something has run out of space or otherwise failed causing a reset.
What I'm asking is whether anyone knows of anything else which could be controlling this, and where this can be disabled/modified to a larger value. If you know what this is and know that it's impossible to bypass, that would also be useful to know. If this is the case, if anyone has a suggestion about a better way to store the GUID for the user session they would also be appreciated!
Thanks in advance.
P.S. I'm not looking for a better way to handle this if it involves a total rewrite of the system - the existing one is unnecessarily complicated, but the application is old (~15 years) and contains a lot of archaic methods that we're not being given the resource to sort out, so the only option I have is to work with the system as it is.
HTTP_COOKIE is just the concatenated string passed via the request/response headers for all valid cookies for that domain stored on the client. You're basically being affected by the default timeout for the Session ID. Just create your own session identifier (e.g. generate a GUID stored in a database table) and have the client store it as a cookie with a different expiration date. Update the expiration date with every valid user interaction to extend the session. Problem solved.