Understanding Session Time-out Issues

Last Updated: Nov 14, 2016 07:03PM EST

Symptoms of a Lost Server Session

Typical symptoms of server session issues are:
  • You are being frequently logged out of the Control Panel
  • Customers report being logged out of their accounts
  • Customers report having an empty shopping cart after they add products to it
  • Customers report errors in the storefront during checkout (e.g. when switching to a secure page)

All of the above might be due to the server session being lost. When a customer visits your online store, a unique server session is started for that customer. The session is a portion of the server's memory where information about the customer's visit to your store is saved (e.g. products that the customer added to the shopping cart). The same is true when you access the ProductCart Control Panel: if the session is lost, you will be logged out.

Possible causes for a lost session

 [Click here for issue new to v5.2]

Typically, after some time, a server session is automatically cleared to free up memory. The default setting for ASP scripts is 20 minutes. This setting can be altered in different ways:
  1. Site-wide. To set the timeout in Internet Service Manager, start Internet Service Manager and navigate to the website that ProductCart is running on and Right Click and select the option “Properties”. Select “Configuration” and then “App Options”. You can increase the value of “Session Timeout” there.
  2. Individual Page. The amount of time after which a session is cleared can be altered by using the “session.timeout” variable. A proficient ASP programmer can help you edit this setting. Several pages in ProductCart use a higher session timeout setting by default (e.g. importing and exporting features).
Use of different domain names
Make sure that all of the links in your navigation and on your site are consistent. For example, do not use “http://yourdomain.com” in some areas, and “http://www.yourdomain.com” in others. These are seen as 2 different sites by the server and will cause session issues (ProductCart uses server sessions to keep track of customer's shopping cart contents, and whether they are logged in, etc.).

The same goes for an IP Address, so make sure that customers are not entering your site under one URL, and switching to another while browsing your store. Carefully review all of the links in your navigation and other areas of the site to make sure that they are consistent.
  • Make sure that the file “includes/storeconstants.asp” contains the correct URL
  • Make sure that the SSL URL under Settings > Store Settings is correct and consistent with the URL in “storeconstants.asp”
  • Make sure that the Home Page URL under Settings > Store Settings is correct and consistent with the URL in “storeconstants.asp”

Redirecting customers to WWW

To correct the problem mentioned above (different domain names used), you can place the following code at the top of any ASP page (it must be an ASP page) used by your site. For ProductCart pages, in v3.05 and above you can place this code at the top of the file “includes/stringfunctions.asp”. This file is used by all relevant files in your storefront. For previous versions of ProductCart (where this file was not used by all relevant files), add the code at the top of “header.asp”.

pcv_strServerURL = request.ServerVariables("HTTP_HOST")
pcv_strScriptName = request.ServerVariables("SCRIPT_NAME")
pcv_strQS = ""
pcv_strQScount = 0

For Each Item In Request.querystring 
            if pcv_strQScount = 0 then 
                        pcv_strQS = pcv_strQS & "?" 
                        pcv_strQS = pcv_strQS & "&"
            end if
            pcv_strQS = pcv_strQS & item & "=" & request.QueryString(item)
            pcv_strQScount = pcv_strQScount + 1

if pcv_strServerURL="my-domain-name.com" then
            Response.Status="301 Moved Permanently" 
            Response.AddHeader "Location", "http://www.my-domain-name.com" & pcv_strScriptName & pcv_strQS
            Response.AddHeader "pragma", "no-cache" 
            Response.AddHeader "cache-control","private, no-cache, must-revalidate" 
            Response.CacheControl = "no-cache" 
            Response.Expires = -1
end if

… where my-domain-name.com is your domain name (change both instances in the code).

Redirecting customers to WWW while using search-engine friendly URLS (404 redirects)

If your site is using search-engine friendly URLs (via a 404 redirect), the above code snippet might not work for you. Here's an example code snippet that has been modified to work with 404.asp search-engine friendly redirects. This code snippet will also preserve SSL https connections:
pcv_strServerURL = LCase(request.ServerVariables("HTTP_HOST"))
pcv_strScriptName = request.ServerVariables("SCRIPT_NAME")
pcv_strServerPort = request.ServerVariables("SERVER_PORT")
pcv_strQS = ""
pcv_strQScount = 0
pcv_strRedirectPrefix = "http://"
if pcv_strServerPort = 443 then
	pcv_strRedirectPrefix = "https://"
end if
pcv_strRedirectURL = ""

For Each Item In Request.querystring 
	if pcv_strQScount = 0 then 
		pcv_strQS = pcv_strQS & "?" 
		pcv_strQS = pcv_strQS & "&"
	end if
	pcv_strQS = pcv_strQS & item & "=" & request.QueryString(item)
	pcv_strQScount = pcv_strQScount + 1

pcv_strQS = Replace(pcv_strQS, ".htm=", ".htm")

if pcv_strServerURL="my-domain-name.com" then
	if instr(pcv_strScriptName, "404.asp") then
		pcv_strQS = Replace(pcv_strQS, "?404;http://my-domain-name.com:80", "")
		pcv_strQS = Replace(pcv_strQS, "?404;https://my-domain-name.com:443", "")
		pcv_strRedirectURL = pcv_strRedirectPrefix & "www.my-domain-name.com" & pcv_strQS
		pcv_strRedirectURL = pcv_strRedirectPrefix & "www.my-domain-name.com" & pcv_strScriptName & pcv_strQS
	end if

	Response.Status="301 Moved Permanently" 
	Response.AddHeader "Location", pcv_strRedirectURL
end if

… where my-domain-name.com is your domain name (change all instances in the code).
Exhausted virtual memory
Windows 2003 servers, unlike Windows 2000 servers, allow Web hosting companies to assign a set amount of Virtual Memory to your account. This ensures that if any of the applications running on the server malfunction, the server's memory will not be exhausted, but rather just the portion of memory allocated to that account. If the memory allocated to your account is used up completely, Windows 2003 automatically clears it so that the applications that use it don't stop working. This process would cause server sessions to be lost.

The virtual memory allocated to your account could be exhausted for a number of reasons:
  • A buggy application that contains memory leaks (e.g. database connections that are not properly terminated, etc.). There are no known memory leaks in ProductCart, at this time (January 2005). However, make sure that any custom ASP code that you might have created or modified does not contain memory leaks. Make sure to properly clear a recordset after using it, and close any open database connections.
  • A large number of concurrent user sessions. If you web store is experiencing an unusually large amount of traffic, this could trigger the problem. Ask your Web hosting company to increase the amount of memory allocated to your account. This might require paying more for your monthly hosting account, or possibly moving to a semi-dedicated or dedicated Web server.


Load balanced servers
If your Web server is load-balanced, a server session is started on one server, and another session would be started on the second server. This will cause the shopping cart to malfunction in many areas. To you it will appear as if there were two different shopping carts running. For example, on one page you could be logged into your customer account, but not on the next page. Or you could add 5 products to the shopping cart and see 3 products on the shopping cart page, then the other 2 products if you refresh the page. ProductCart does NOT support a load-balanced server environment, unless it is configured in a way that prevents the loss of a session.
Multiple processes
Windows 2003 servers, unlike Windows 2000 servers, use a different “worker process” for each different account on the server. This allows problems that might affect one account (e.g. a buggy ASP application) not to affect the whole server. By default, each account is associated with 1 worker process.

However, the server might have been setup to use 2 or more worker processes (a scenario called a “Web Garden”). This would cause a scenario similar to that of a load-balanced server, explained above. ProductCart is not compatible with a server environment where there are multiple work processes on one account. Here is more information from Microsoft on this topic.
What the problem is

IIS7 has a setting called “New ID On Secure Connection (keepSessionIdSecure)”

This generates a new cookie when a transition from a non-secure to a secure connection is made. The default is True. Change this to False if you can, or ask your hosting company to make the change. Here is more information from Microsoft on this topic.

More detailed explanation

What is happening is the environment is creating a separate session variable each for “http” and another for “https” so that when you switch between them, it will give the appearance of missing items. You can verify this when you experience the empty cart (if you are in https) by simply changing the URL for the page you are on to http and you will see your items in the cart.

The root of the problem is ProductCart running in the Win2008/IIS7 environment when IIS7 is set up using default values. There is some key differences between IIS6 and IIS7.

How to fix it

You have two options to fix this issue:
  1. IIS setting
    In the IIS properties window, under the ASP tab –> Session Properties, there is a setting for “New ID on Secure Connections” (this is the friendly name). IIS7 had this set on/enabled by default. You will need to ask your host to turn this setting off.
  2. web.config file
    If you are having problems in your ProductCart-powered store during checkout (e.g. a message indicating that the shopping cart is empty), then try the following.
    1. Create a new Notepad file with the following content:
      <?xml version="1.0" encoding="utf-8" ?>
            <session keepSessionIdSecure="false" />
    2. Save the file with the name “Web.config”
      Make sure it does not have a *.txt extension. The entire file name should be “web.config”
    3. Upload it to the root folder using your favorite FTP software
Application Pool: Idle time-out

In IIS you have the ability to set the “Idle Time-out” (expressed in minutes) at the Application Pool level. This is the amount of time a worker process will remain idle before it shuts down. A worker process is idle when it is not processing requests and no requests are received.

To change the “Idle Time-out” setting (IIS 7 Windows 2008 Server):
  • Start IIS
  • Select the Application Pool that you wish to edit
  • Click on “Advanced Settings” on the right side
  • Expand the “Process Model” section.
  • Change the “Idle Time-out” setting. The default is 20 minutes.

global.asa file

Make sure that you do not have a “global.asa” file on your site that is overriding the default session timeout value.

Application directory

Make sure that your 'includes' folder is NOT configured as an Application Directory, otherwise it will initiate a new session every time this folder is called.

Temporarily disabling control panel access control

If you are having session time out issues, cannot find an immediate solution, and need to temporarily disable access control on your ProductCart Control Panel, you can do so by editing the code of the page “pcadmin/adminv.asp”, as mentioned below. Make sure to create a back-up copy of adminv.asp before editing the file, so that you can quickly restore the original version when you are ready to do so.

THIS IS A MAJOR SECURITY CONCERN as it allows anybody that knows the Web location of the Control Panel to gain access to it. DO NOT disable password protection on the Control Panel unless it is absolutely necessary, and re-enable it as quickly as possible.

Locate the following section of the code:
' verifies if admin is logged, so as not send to login page
if session("admin")=0 then
 response.redirect "login_1.asp?RedirectURL=" & Server.URLEncode(pcv_filePath)
end if

To inactivate this section of code, replace it with the following:
' verifies if admin is logged, so as not send to login page
'if session("admin")=0 then
' response.redirect "login_1.asp?RedirectURL=" & Server.URLEncode(pcv_filePath)
'end if

[Session issue reported on some v5.2 stores]

There is something new to consider in this area (session loss), but we are still researching it further since it's only been reported on a small number of servers. Although we haven’t experienced it on our own servers… there are a couple of stores that started seeing inexplicable session loss after updating to v5.2; and it turns out to be caused by something built in to IIS and the ASP.NET Framework to programmatically signal the WAS Service when the Application Pool needs to be recycled (as part of a self-monitoring service).

In IIS (by default), Ping Monitoring is enabled with very tight timing on responses… and at least on some servers, this feature is causing the ProductCart sessions to be prematurely recycled.

To know for sure, you should explain what’s happening to your hosting provider and ask them to at least temporarily turn off Ping Monitoring and see if it resolves the issue. Here is a page on a 3rd-party Website with more information on this setting:



  • Support Forums
  • Video Tutorials
  • Support Request
  • Support Policy
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found