Understanding Session Time-out Issues

Typical symptoms of server session issues are:

• You are being frequently logged out of the Control Panel
• Customers report being logged out of their accounts
• Customers report having an empty shopping cart after they add products to it
• Customers report errors in the storefront during checkout (e.g. when switching to a secure page)

All of the above might be due to the server session being lost. When a customer visits your online store, a unique server session is started for that customer. The session is a portion of the server's memory where information about the customer's visit to your store is saved (e.g. products that the customer added to the shopping cart). The same is true when you access the ProductCart Control Panel: if the session is lost, you will be logged out.

Typically, after some time, a server session is automatically cleared to free up memory. The default setting for ASP scripts is 20 minutes. This setting can be altered in different ways:

1. Site-wide. To set the timeout in Internet Service Manager, start Internet Service Manager and navigate to the website that ProductCart is running on and Right Click and select the option “Properties”. Select “Configuration” and then “App Options”. You can increase the value of “Session Timeout” there.
2. Individual Page. The amount of time after which a session is cleared can be altered by using the “session.timeout” variable. A proficient ASP programmer can help you edit this setting. Several pages in ProductCart use a higher session timeout setting by default (e.g. importing and exporting features).

Make sure that all of the links in your navigation and on your site are consistent. For example, do not use “http://yourdomain.com” in some areas, and “http://www.yourdomain.com” in others. These are seen as 2 different sites by the server and will cause session issues (ProductCart uses server sessions to keep track of customer's shopping cart contents, and whether they are logged in, etc.).

The same goes for an IP Address, so make sure that customers are not entering your site under one URL, and switching to another while browsing your store. Carefully review all of the links in your navigation and other areas of the site to make sure that they are consistent.

• Make sure that the file “includes/storeconstants.asp” contains the correct URL
• Make sure that the SSL URL under Settings > Store Settings is correct and consistent with the URL in “storeconstants.asp”
• Make sure that the Home Page URL under Settings > Store Settings is correct and consistent with the URL in “storeconstants.asp”

Windows 2003 servers, unlike Windows 2000 servers, allow Web hosting companies to assign a set amount of Virtual Memory to your account. This ensures that if any of the applications running on the server malfunction, the server's memory will not be exhausted, but rather just the portion of memory allocated to that account. If the memory allocated to your account is used up completely, Windows 2003 automatically clears it so that the applications that use it don't stop working. This process would cause server sessions to be lost.

The virtual memory allocated to your account could be exhausted for a number of reasons:

• A buggy application that contains memory leaks (e.g. database connections that are not properly terminated, etc.). There are no known memory leaks in ProductCart, at this time (January 2005). However, make sure that any custom ASP code that you might have created or modified does not contain memory leaks. Make sure to properly clear a recordset after using it, and close any open database connections.
• A large number of concurrent user sessions. If you web store is experiencing an unusually large amount of traffic, this could trigger the problem. Ask your Web hosting company to increase the amount of memory allocated to your account. This might require paying more for your monthly hosting account, or possibly moving to a semi-dedicated or dedicated Web server.

If your Web server is load-balanced, a server session is started on one server, and another session would be started on the second server. This will cause the shopping cart to malfunction in many areas. To you it will appear as if there were two different shopping carts running. For example, on one page you could be logged into your customer account, but not on the next page. Or you could add 5 products to the shopping cart and see 3 products on the shopping cart page, then the other 2 products if you refresh the page. ProductCart does NOT support a load-balanced server environment, unless it is configured in a way that prevents the loss of a session.

Windows 2003 servers, unlike Windows 2000 servers, use a different “worker process” for each different account on the server. This allows problems that might affect one account (e.g. a buggy ASP application) not to affect the whole server. By default, each account is associated with 1 worker process.

However, the server might have been setup to use 2 or more worker processes (a scenario called a “Web Garden”). This would cause a scenario similar to that of a load-balanced server, explained above. ProductCart is not compatible with a server environment where there are multiple work processes on one account. Here is more information from Microsoft on this topic.

IIS7 has a setting :

New ID On Secure Connection (keepSessionIdSecure) This generates a new cookie when a transition from a non-secure to a secure connection is made. The default is True. Change this to False if you can, or ask your hosting company to make the change. |Here is more information from Microsoft on this topic.

In IIS you have the ability to set the “Idle Time-out” (expressed in minutes) at the Application Pool level. This is the amount of time a worker process will remain idle before it shuts down. A worker process is idle when it is not processing requests and no requests are received.

To change the “Idle Time-out” setting:

IIS 6 (Windows 2003 Server):

• Start IIS
• Select the Application Pool that you wish to edit
• Right-click and select “Properties”
• Go to the “Performance” tab
• Change the “Idle Time-out” setting. The default is 20 minutes.

IIS 7 (Windows 2008 Server):

• Start IIS
• Select the Application Pool that you wish to edit
• Click on “Advanced Settings” on the right side
• Expand the “Process Model” section.
• Change the “Idle Time-out” setting. The default is 20 minutes.

Make sure that you do not have a “global.asa” file on your site that is overriding the default session timeout value.

If you are having session time out issues, cannot find an immediate solution, and need to temporarily disable access control on your ProductCart Control Panel, you can do so by editing the code of the page “pcadmin/adminv.asp”, as mentioned below. Make sure to create a back-up copy of adminv.asp before editing the file, so that you can quickly restore the original version when you are ready to do so.

Locate the following section of the code:

' verifies if admin is logged, so as not send to login page
if session("admin")=0 then
 response.redirect "login_1.asp?RedirectURL=" & Server.URLEncode(pcv_filePath)
end if

To inactivate this section of code, replace it with the following:

' verifies if admin is logged, so as not send to login page
'if session("admin")=0 then
' response.redirect "login_1.asp?RedirectURL=" & Server.URLEncode(pcv_filePath)
'end if
session("admin")=1
session("PmAdmin")="19"

Locate the following section of the code:

'verifies if admin is logged, so as not send to login page
if session("admin")=0 then 
 response.redirect "index.asp"
end if

To disable it, put an apostrophe in front of all the lines of code. Like this:

'verifies if admin is logged, so as not send to login page
'if session("admin")=0 then
' response.redirect "index.asp"
'end if

• Starting a ProductCart session