Why do I lose ASP Session State on IIS6

A common, mysterious behavior encountered by ASP applications on IIS6 is the loss of session state. It seems to disappear more often and Session.Timeout seem to be ineffective. Why?

Question:

I have session.timout set to all day(1440 minutes).

But if my application has been idle more than 1 hour for example, my usser losts the session.

So, I checked the IIS properties.

I found the DefaultAppPool idle timeout property, which was set to shout down the worker procces after beiing idle for 20 minutes.

Should I set this property to 1440 minutes? Does it has something to do with session?

And there is some other property: health - shuth down the worker process after 90 minutes.

What about this property? Should be also set to 1440 minutes?

Thank you for your answer,

Answer:

Actually, none of the IIS configuration you mentioned, idle timeout or periodic shutdown, have anything to do with sessions directly, even though they can affect sessions. Let me explain.

Session State Concepts

Conceptually, this is how Session State works (it is pretty much the same for ASP, ASP.Net, JSP, etc - excluding ASP.Net cookieless session state):

1. The HTTP protocol that the application framework (i.e. ASP, ASP.Net, JSP, etc) uses to transport requests/responses is stateless. This means that given two different users that view the same URL, the server should send back the same response. This is clearly not very interactive nor user-customized, so a long time ago Netscape came up with an idea to maintain state between clients and servers over HTTP - cookies.

2. How cookies work to maintain state is simple: whenever an web application wants to maintain state (such as runtime session state) with the user of the web browser, it makes the web server return a Set-Cookie: response header with some ID and an arbitrary URL. The web browser is supposed to remember the cookie's contents (the ID), and whenever the user navigates to the matching URL (or below), it should send that content as a Cookie: request header to the server.

   In other words, if the web application sets a cookie with an ID of "foobar" for the URL of "/app1" of a given website, whenever the browser navigates to this website it is supposed to return the cookie with an ID of "foobar" when the user's URL is "/app1/default.asp" but not "/app2/default.asp". Clearly, the web application just needs to set unique IDs and participating browsers will return the cookie so that the web application can later determine the unique user that is interacting with it based on the ID in the cookie.

3. How a web application uses cookies to maintain session state is also simple: the application framework simply associates all the runtime state of the application with the ID (i.e. SessionID) and makes sure to send that ID with a Set-Cookie on the initial HTTP response, and whenever the web browser makes a subsquent request to the application's URL namespace, the application framework inspects the cookie header for an ID and if it is found, look up all of the associated runtime state and continue processing the web application with that state. Good application frameworks would also control the time period of validity for this runtime state via something like Session.Timeout.

Session State and Process Recycling

Now that the basics are out of the way, we can get to the question at hand. What does process recycling have anything to do with maintaining session state?

Well, remember that HTTP is stateless. This means that ASP Session State, which is runtime state located on the server, associated with a SessionID, and retrievable via a client-side cookie... must be stored SOMEWHERE in between HTTP requests such that it can be retrieved for subsequent requests by a web browser to give the illusion of "session state".

On IIS6, the ASP session state is stored in-process with whatever w3wp.exe that is executing ASP.DLL to process your ASP application. This state is valid for as long as the w3wp.exe is running.

Now, some of you may be wondering why setting Session.Timeout does not affect the validity of the session state with respect to process recycling. Well, Session.Timeout is basically an ASP concept relating to the period of validity of a given SessionID by ASP, and that has no clear mapping with the IIS6 concept of recycling a w3wp.exe based on various metrics. What happens if >1 ASP applications have different Session.Timeout values, why should ASP applications have privilege to set Application Pool recycling properties, and what happens if you want a recycling policy that conflicts with Session.Timeout behavior? Which should win?

Hopefully, the implication is now clear. Whenever you establish ASP session state (which is stored inside some w3wp.exe process), if you cause that w3wp.exe to recycle for any reason, the in-process session state will be lost regardless of the value of Session.Timeout. The health monitoring features of IIS6 Application Pool, such as the idle timeout or periodic recycling, all trigger a w3wp.exe recycle based on some metric. Thus, in order for you to preserve the logical concept of an ASP session state that times out after 1440 minutes, above all else, you have two basic choices:

1. If you use In-Process ASP Session State (this is what is provided by default), then you need to make sure to configure IIS6 Application Pool health monitoring metrics to not recycle the w3wp.exe until after 1440 minutes from the last user request
2. If you use Out-of-Process ASP Session State - then you do not need to worry about IIS6 Application Pool health monitoring metrics because your session state does not exist in the w3wp.exe and thus survives the w3wp.exe recycling

In your case, since you want to enforce the logical concept of ASP session timeout in 1440 minutes and you are using in-process ASP session state, you need to disable all health monitoring metrics since they can cause premature w3wp.exe recycling and loss of such state. In particular, you need to disable periodic recycling because even if you set it to 1440, it still breaks your logical concept. Suppose an user logs in 1439 minutes after the first request that started up the w3wp.exe... the w3wp.exe will still recycle in one minute because it is configured to recycle 1440 minutes after the first request that started it up. This means that the user just lost his/her session state after one minute of login. Meanwhile, idle timeout should be set to at least 1440 because the w3wp.exe will recycle only after 1440 or more minutes of inactivity - where the ASP session state is supposed to become invalid anyways so it does not matter that the w3wp.exe recycled.

//David

Comments

• Anonymous
  September 22, 2005
  Thanks for your detailed response however we have tried your recommendations and nothing has worked for us.
  
  The ASP session still seems to disappear after about 30 seconds (give or take) on our site.
  
  We have changed the application pool, removed all health settings, we didnt have a global.asa because we are using a mysql database, but added one in to see if that mattered.
  
  We setup loogging to log worker process recycling and nothing has been logged yet?
  
  Thanks for any help you can provide.
  
  Why are we losing our session?

• Anonymous
  September 22, 2005
  The comment has been removed

• Anonymous
  December 23, 2005
  Quite a good explaination David ........
  Mate just wan to know if setting out-of-process session state in IIS 6 is possible & how should one go about it ?
  
  Many thanks for your answers uptil now.
  
  

• Anonymous
  December 23, 2005
  ASP does not provide Out-of-process Session State support by default. Egbert Nierop has written such an implementation, as has others.
  
  ASP.Net provides an Out-of-process Session State support by default.
  
  Here is a thread that may be of interest:
  http://forums.asp.net/623999/ShowPost.aspx
  
  //David

• Anonymous
  January 06, 2006
  The comment has been removed

• Anonymous
  January 10, 2006
  Charlie - Thanks for the encouragement and information. Yes... the basic issue is that Web Garden introduces multiple processes to service requests while in-process state is not automatically copied across processes... so you either need to avoid state, manually synchronize it, or centralize and share the state in an out-of-process session state store.
  
  The blog software (Community Server) does have a feature for one to enter email address to be notified of any new comments. I see a "Receive email notifications" link with the blog entry, and I use it to know when there is new feedback.
  
  //David

• Anonymous
  January 25, 2006
  Got the link from Egbert - Out-of-process session state for ASP compatible with recycling.
  
  http://www.nieropwebconsult.nl/asp_session_manager.htm
  
  //David

• Anonymous
  March 27, 2006
  Is there any free Out-of-process session state for ASP available?
  
  Nieropwebconsult's solution is quite expensive.

• Anonymous
  May 25, 2006
  Great information here, thank you David. I have been running around in circles for quite some time on a session problem with ASP.NET, and I wanted to point to another bit of information that I didn't find referenced in many places on the web.
  
  If you are losing your session and can't find any evidence of process recycling, check out this Microsoft KB article detailing a bug with MSIE 5.5 that may cause your client to break itself.
  
  <a href="http://support.microsoft.com/kb/288993/en-us">Session Data Is Lost During POST to GET Redirect</a>

• Anonymous
  May 25, 2006
  Link correction from above:
  
  http://support.microsoft.com/kb/288993/en-us

• Anonymous
  June 08, 2006
  We are using out of process session (state server) due to a load-balanced webfarm.  But when I turn on the webgarden we randomly loose session (2 min, 4 min, etc. when session timeout is set to 20 min).  No one else has experienced this?

• Anonymous
  June 13, 2006
  I've seen people mention using SQL server to maintain state.
  
  Can someone elaborate on how this is done?
  
  Is there a COM object to do this? Is it ASP hand coded?
  
  Please explain.
  
  Thank you!

• Anonymous
  June 16, 2006
  It's another 10K entry!
  
  //David

• Anonymous
  June 16, 2006
  The comment has been removed

• Anonymous
  June 16, 2006
  Dave - session state is simply a blob of data which a web page can retrieve with an ID. The ID comes from the browser; the blob of data can be stored either in a data structure inside the same process or elsewhere, using memory, SQL, disk, etc.
  
  ASP provides an implementation that stores the data in the memory of the process handing the ASP page. You have to either find or write an implementation that stores the data elsewhere, in a SQL Server, for example. This implementation can be exposed via COM object, etc.
  
  Some people have written implementations to perform the above and charge for it; you are always free to write your own. Or you can upgrade to ASP.Net and use its free implementation of a SQL Server-based out-of-process session state service.
  
  //David

• Anonymous
  June 22, 2006
  Has anybody heard about the loss of the session when the name of the server contains ""?
  
  My web application works on machines without "" but if there is a "_" in the name, I lose the session...
  
  Thank you

• Anonymous
  June 23, 2006
  Julien - that behavior is actually by-design. I found the answer by searching for:
  lose ASP session state "_"
  
  The issue has nothing to do with IIS nor your web application but the loss of cookies.
  
  //David

• Anonymous
  June 29, 2006
  hi david,
  We are upgrading from IIS 5 to IIS 6. We have 3 load balanced web servers. My question is in IIS6, do i still need to have same instance in IIS metabase for a website? i referred to http://support.microsoft.com/default.aspx?scid=kb;EN-US;q325056 for that. And do we have still have to generate a session key and put that same in machine.config on all 3 web servers?
  I will appreciate your response.
  
  Thanks!
  saumin

• Anonymous
  June 29, 2006
  Saumin - No idea. Your questions are best answered on an ASP.Net Forum such as www.asp.net or by applicable KB articles based on your ASP.Net version.
  
  //David

• Anonymous
  August 30, 2006
  We are also experiencing the same problem as of Tracy.
  We are using in process session ,but when I turn on the webgarden we randomly loose session before the time out of session.
  And when we turn off the web garden than it works fine.

• Anonymous
  September 08, 2006
  "Application Pool health monitoring metrics to not recycle the w3wp.exe until after 1440 minutes from the last user request "
  
  Instead of doing that, can you just recycle the process at a specific time, such as 1am., that would be the same right?
  
  also how do you disable the webgarden (do you just set the # of processes to 1? )

• Anonymous
  September 12, 2006
  Hi everyone, can any one tell me where i can find the registry entry of application pool properties.. ie in performance tab for shutdown worker process after boing idle

• Anonymous
  September 25, 2006
  Hi does the javascript affect session timeout. i have a problem maintaining my session state i set it to timeout by 400 (400 minutes) I have a javascript(serves as a timer countdown within 50 minutes). the purpose of the java is to submit the page after 50 minutes but i lose session after that. any suggestions pls.

• Anonymous
  April 16, 2007
  You can change the recycle settings within the IIS MMC - just get the porperties of the Applciation Pools. From here you can set it to recycle the process at specific times of the day or after a certain number of requests.

• Anonymous
  June 21, 2007
  We had "InProc" session management and the sessions would drop very randomly. Background We had a process which was logging the time and date the daemon process was run. See the below link, of what it has to say! http://support.microsoft.com/kb/324772 Cause <b>if any file in the application's directory changes, the session would be lost! </b> Strange but true, MSFT calls it a feature, but honestly I think this is a flaw in the “InProc” session management of MSFT IIS 6 Server. Solutions. 1.Change the session management algorithm 2.Don’t update or create any files in the application server directory

• Anonymous
  July 05, 2007
  Hello! I am developing a web site with ASP (Framework 1.1) and AJAX, which is running in a platform with the IIS6 in a Windows 2003 server. The session always expired after 20 minutes. I tried modifying all the timeouts of the Application Pools, and at last I disabled all the timeouts, the recycling schemes... Now my problem is that the static web pages run correctly, but the ones which are been updated lose the session after 20 minutes. The updating is done by means of AJAX requests each 8 minutes.... The strage thing is that this problem doesn't happens in a platform. Could everyone help me? Thank you very much!

• Anonymous
  July 10, 2007
  Following are the issue we are facing 1.In our case we are writting cookies through ASP file but then also after some idel time 20 minutes system could not read the values from cookies. In our application we are using ASP as well as .NET

2. After recycling session state is lost. as such we are not using any session variables but we are using the cookies. due to session expiration system could not read the cookies. But this behavior is not obnserved for each recycling time. some times it expire session and some time not.  could not figure out how this is happening do you have any idea

• Anonymous
  August 01, 2007
  After upgrading to Service Pack 2 for Windows 2003 Server we noticed issues with session states in that browser session id's were switching unexpectidely causing problems with login forms and various other areas of our websites. To solve the problem with sessions I created a custom application pool within IIS, selected the application pool properties and limited the number of worker process to 1.  Anything more than 1 will cause IIS to spawn a new process and therefore assign a new session. I have tested from a number of browsers and this works.   This is a fix for people creating sessions on the fly within IIS.

• Anonymous
  October 02, 2007
  Hello, I am having  real problem with this as well. I get the following error in the event log. A worker process with ID'12720' serving the defaultAppPool has requested a recycle because the worker process reached its allowed processing time limit. I lose session variables when this happens(after reading the above article that is far enough).However, i am not sure why this error happens i have about maybe 75 pages which connect to a database and create conn and rs objects , and i have noticed the connection string is in Session object and many of the pages do not destroy the recordsets or the conn to the db properly after closing them ( i.e.set them to nothing) could this lazy coding be causing my issues cause this recylce is happening about once a day consistently . I have about 100 users at anyone time accessing the web site. Basically i need the root cause of why the allowed processing time limit error is happening Any help or ideas would be appreicated Gavin

• Anonymous
  October 08, 2007
  I've had a problem on my site where, using classic ASP, the session variable gets halted/stalled and appears empty.  Refresh sometimes clears the problem resulting in the session variable containing what it should have done originally.  I've made sure the cookies are set correct and I've tried to remove any conflict with my AV software (Norton).   Could it be a VISTA IE7 thing? Please, any ideas?

• Anonymous
  November 20, 2007
  Guys - THANK-YOU!!! We have been fiddling for 2 days (two of us) trying to figure out why sessions where lost every few minutes. The web farm thing worked. Perfectly. All is up and running. THANK-YOU AGAIN!!! You lot ROCK!

• Anonymous
  April 24, 2008
  The comment has been removed

• Anonymous
  June 19, 2008
  I just wanted to say thanks!! This post and the resulting comments helped me solve a nagging problem with users being 'randomly' logged out. I am using classic ASP and the web garden was > 1. Once I dropped it to 1 the problem disappeared. So it effects classic asp as well. Seems like the this information should really be added to the help section for IIS.

• Anonymous
  July 17, 2008
  The comment has been removed

• Anonymous
  July 19, 2008
  12 hours later, our 'caching' problem (apparent random results assumed to be cached pages from previous requests) is solved simply by dropping the number of worker processes from 2 to 1 on our quad-core web server (fat lot of use that is!). Thanks to all here for getting this page Google-able. Gotta say that it's hard to believe that I'm using VS2008/C# 3.5/Win 2003 Server & IIS 6 and MS STILL haven't made it all hang together properly for multi-core web servers (y'know, like anything made in the past years ...). Thanks again guys.

• Anonymous
  July 23, 2008
  John - Actually, Microsoft INTENTIONALLY did not make ASP hang properly on multi-core with the ease of ASP.Net Microsoft has long made it hang together properly, from the beginning, for ASP.Net with the Session State Service. However, ASP predates all of this discussion, and there was a consciously decision in IIS6 to NOT produce a ASP Session State Service which would have addressed your concerns. You can view the decision as -- by making an ASP Session State Service, that would be one more thing prohibiting people from migrating to ASP.Net -- so to promote ASP.Net and the future of .Net, ASP had to be less capable. //David

• Anonymous
  August 25, 2008
  Hi David, Your posts are very great assest to developers (great job!) I have a web application written in ASP classic. We have upgraded to IIS 6, and I was/am experiencing a session timeout problem, I searched the web and updated the IIS configuration to eleiminate the worker process recycling (and other settings as well that are listed above). The problem is: When I leave any page idle for about 10~25 minutes and try to go to any other page, I get the message "You are about to be redirected to a connection that is not secure. The information you are sending to the current site might be retransmitted to a non-secure site. Do you with to continue?" This happens while I am not using any secured page(https) in this application, and the session is lost again. What could be the problem? What to search for? I am lost! Please advice. Thanks in advance.

• Anonymous
  August 25, 2008
  Correction: Your posts are a great asset to developers (great job!)

• Anonymous
  August 25, 2008
  David, A quick question regarding what seems to be a recycling issue as well. With a couple of sites on iis6 and each one using their own application pool, there is one of them out of all the 6 that cannot seem to hold onto what i believe is a session. After about 60 minutes, not always, but around that time it seems that the session dies because i can no longer read the data stored in a simple script from a session. I believe it has everything to do with the fact that his site seems to be extremely slow and the single cause for his whole server to be lagging severely. Once i stop his site (which is largely ASP driven) the server regains its performance. As well the script is able to run without losing its session. I think its a simple matter of the site overloading asp threads, but i'm not to firm on the understanding of what happens in this case. Does the application pool moniter the asp threads, and once it reaches too many processes it recycles it and therefore causes the application object to lost its session?

• Anonymous
  September 09, 2008
  The comment has been removed

• Anonymous
  September 09, 2008
  Robert - it sounds like that specific user is somehow disabling cookies, which is used to maintain session state between the browser and server. //David

• Anonymous
  October 04, 2008
  David, all I can say is You Are Great! Every time I have an issue I surf all kinds of forums googling my problem, and I never found such a great explanation on an issue as the one you have provided. Here's what I do to manage webfarming on ASP using in process session state: Use a redirection page that will contains the following code ==========================================

  • Generate a Unique ID (This can easily be done by inserting into a "dummy" table that only contains an identity number)
  • Every session element is saved into a table in the database that contains a unique ID, and the current DateTime: ID / SessionVariableName / SessionVariableValue / DateTime
  • POST the unique ID and the main page address of the current server (where the user would go to log in for the first time) to a receiving page in the new server and anyother POST if necesary In the new server (receiving page)
  • The Unique ID will be used to get the session variables from the DB and be defined in the new server.
  • The current time is matched with the datetime saved in the db table plus a configurable value (1 minute at the most)
  • If it matches, deletes all the entries for the selected UniqueID Ensuring that even if the time didn't pass, the session variables will not be available in the db.
  • If it doesn't match redirect to the caller's home page (for security purposes). Hope it helps!!

• Anonymous
  October 05, 2008
  Lucas - Actually, you describe an out-of-process session state implementation, which should work perfectly fine (and you've verified it!) :-) The actual state values are in the database table, which is stored outside the process serving ASP. You essentially pass a SessionID around to any server in the web farm, which can access the same session state from the database, no matter which server in the web farm handles the request. This is analogous in behavior to the ASP.Net Session State Service, and the design is quite effective at leverage IIS6 Web Gardens and Web Farms in a scale-out fashion to handle load. //David

• Anonymous
  December 26, 2008
  The comment has been removed

• Anonymous
  January 18, 2009
  Hi All, I have little different kind of plroblem.

---

I am using VS 2005 ASp.Net. and in my web application i manage my Session out proc state i.e. in Sql Server. there are two module in it. in which one is working fine and all the session variable mantain properly but in another module some of the session variable losing its value with in 5 sec on the same page or either on redirect on the other page. i can change my session variable name but still the problem exist. Thanks, Nitin

• Anonymous
  May 06, 2009
  I'm lost. If by default, the WWW service establishes an overlapped recycle, in which the worker process that is to be shut down is kept running until after a new worker process is started, how come the session state will be lost? (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/24e3c22e-79a9-4f07-a407-dbd0e7f35432.mspx?mfr=true)

• Anonymous
  May 11, 2009
  A new look of the old problem. Thanks for this article! Really, we got the same problem on our server, and I'm testing the server and its settings basing on this article.

• Anonymous
  July 03, 2009
  Hi David, I wanted to report back that after trying everything I could to resolve my issue with session state I was not able to resolve it.  I recently had a PC crash and had to rebuild from scratch. (Don't worry, I had a recent back-up of everything). When I diagnosed the reason for the crash it was related to a corrupt registry.  My registry was massive and I now believe it was the root of this issue.  (I previously tried some registry cleaning software and none of them worked.  I have also read that many of these cause more harm than good and should not be used.) So while there are a lot of great suggestions here about resolving session state problems, if none of them work you may have my issue and require a complete rebuild.  I do not know if there could have been other solutions, but when I consider the hours spent searching for solutions and trying different things, in the end the fastest solution was to do a clean install of everything. Hopefully this post will help others avoid the hours of frustration trying to resolve this problem.

• Anonymous
  August 28, 2009
  David, We have an 3rd party application developed using Framework 1.1, which is running on a platform using IIS6 in a Windows 2003 server. The application randomly "loses" the session variables.  When this occurs the aspx pages throw the "Object reference not set ..." exception. I have tracked the occurences back thru the Web site log and I am seeing a number of sc-win32-status = "64" errors. When the "64" error occurs in the GET 200 transaction of the first page, the sc-bytes value is much smaller than normal, the time-taken value is much higher than normal, and the called aspx page throws the exception when trying to use the Session values in creating its content. Below is a section of the Web log showing the "normal" behaviour vs the behaviour when a "64" error is encounterd.   Normal behaviour cs-method cs-uri-stem sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken GET /App1/Page1.aspx 200 0 0 22869 495 406 POST /App1/Page1.aspx 302 0 0 453 4834 265 GET /App1/Page2.aspx 200 0 0 15374 603 312 Abnormal Behaviour cs-method cs-uri-stem sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken GET /App1/Page1.aspx 200 0 64 288 495 812 POST /App1/Page1.aspx 302 0 0 453 1850 171 GET /App1/Page2.aspx 200 0 0 1124 603 328 Notice the sc-bytes value shrinks from 22869 to 288, the time-take increases from 406 to 812, and the sc-bytes for Page2.aspx shrinks from 15374 to 1124. Do you have any ideas on what is happening? Thanks

• Anonymous
  September 03, 2009
  I have the same question as Chris Yao stated above, which does not appear to have been addressed yet.

---

If by default, the WWW service establishes an overlapped recycle, in which the worker process that is to be shut down is kept running until after a new worker process is started, how come the session state will be lost? (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/24e3c22e-79a9-4f07-a407-dbd0e7f35432.mspx?mfr=true)

---

• Anonymous
  October 08, 2009
  Hi Dear  Can you help me about losing session. I use webconfig for control session all the page but it usually losing session I don't know the problem. If you know can you tell me?

• Anonymous
  November 17, 2009
  My session state is set to serverstate, and timeout is set to 60 minutes, however each session still expires in about 20 minutes.

• Anonymous
  November 17, 2009
  I mean session state is StateServer in the last post

• Anonymous
  November 30, 2009
  Hi David, Thank you very much for such a great information. I am facing early timeout problem. Everywhere I have marked as 20 minutes, but session times out just after login or after logged in and searched any thing in our application, it throws the user out of the application (session timeout). This is well running application for last 2 years and now we are facing the problem. Environment: ASP.NET 2.0, W2K3 server, Load Balanced Clustered Servers. I have checked Web.config file of Application, Application session timeout in IIS, Default website session timeout in IIS, Worker process idle timeout of application pool, Recycle timeout period of application pool, Antivirus setting and everywhere it is mentioned correctly i.e. 20 minutes. I am not able to resolve the issue and client is asking for urgent resolution.

• Anonymous
  January 10, 2010
  I'm facing the same problem. I'm working with a  web farm. Could be tha case that my web application is being redirected to a new Worker process? in that case, how can I trace this behavior, I mean How can I now if this issue is happening. Thanks

• Anonymous
  April 18, 2010
  Hi, I am having a situation where the worker process seems to recycle every so often, sometime within seconds. This does not happen if the user logging into the website has admin access to the server. We are running the website on IIS6 & ASP.Net 2.0 with a few simple Ajax controls. Looked at all the options provided in this thread but without luck. Any inputs on the problem are appreciated. Regards Sridhar

• Anonymous
  April 23, 2010
  I've been having the same problem as many described where my application would timeout very quickly. Since I was using session variables to maintain authentication state, I had to log back in frequently. The problem was the "Web Garden" feature where I had set "max number of worker processes = 20". Now that I cut the processes down to 1, my application maintains the session state and my authentication state is stable for the 20minute timeout period. Many thanks for your explanations on here!