Hoping someone can answer what should be a quick question for me. I'm new to ASP - only about 6 months in with no formal training, I'm learning as I go.

Background:
I've built a quick web-app that allows users to submit, modify & view info. To keep unauthorized users out, I've included a simple login script that checks the userid/pwd against a database. If there's a match, a session is created, if not, you're directed to an error page. All of this is being run on a Win 2k3 machine running IIS6.

My Problem:
Regardless of what page the user is on, if the user does not activate a link or submit info via the form for a solid 60 seconds, the sessionID is destroyed and the user is forced to re-login. Most of the users are slow typists and require at least 2 minutes to enter their info, so this obviously needs to be addressed.

What I've Done:
I originally thought this was a server config issue (still do, actually) but the server guy keeps telling me it's my code, so I've tested it out completely. I've looked it over and have had 2 other programmers look it through. I've posted it on two test environments and on 2 other production servers (for a total of 4 different webservers, all running WinXp, IIS5 - I don't have access to IIS6). The Session is *not* destroyed after 60 seconds on any of the other environments, it only happens on our production server.

My Questions:
1) I'm sure I know the answer to this - my guess and gut reaction would be no - but I want to make absolutely sure before I try to take this back to the server guy: Is it possible to lengthen the amount of time the session variable is kept for just one app (E.G. within the ASP code, not within the server configs?)
2) Has anyone had this problem before, if so, what did you find fixed it?
3) If this is a config issue and not a code issue (which I'm thinking), how can I convince the server guy? I've tried to show him the test results from other webservers as well as writing out the session id at the top of each page and showing him the variable is destroyed after 60 seconds. All I get in response is: "Yeah, I set it up so the connection stays for 20 minutes and the variable is destroyed after 60 seconds." (Maybe it's just me, but I didn't think that was possible...)

If you'd like to see my code, I'll be more than happy to post it here, just ask.

Edit: Just as an FYI in case any of you ask, this is not just a single web-app that this happens with - it happens with all session variables used in any subweb on the server. (Include code I've written, code that's been generated by ASPRunner and various other "Wizards" and "Generators")

That doesn't sound right, If the session doesn't expire until after 20 mins, then the variables in the session shouldn't expire either.

Who is you web host if you don't mind me asking?

Please post your code, it'd be good to see it just to double check things.

We host our own pages. Here's the for the login:

Code for Login.asp (the form posts to this page)

Code:

<%
'Fetch the username and password provided from default.asp
strUser = request.form("login")
strPass = request.form("password")
%>

<%

'Open a database connection
set conn=Server.CreateObject("ADODB.Connection")
conn.Provider="Microsoft.Jet.OLEDB.4.0"
conn.Open(Server.Mappath("fpdb/database1.mdb"))

'Create a Recordset using CursorType 1, which allows the number of
'records returned to be checked
set rs = Server.CreateObject("ADODB.recordset")
rs.CursorType = 1

'Query the database for a record matching the specified username/password
rs.Open "SELECT * " & _
        "FROM   tbl_Users " & _
        "WHERE  usrName = '" & strUser & "'" & _
        "AND    usrPass = '" & strPass & "'", conn

'Make sure there is only one record in the recordset (zero records means
'an invalid ID or password, more than one means multiple matching records
'exist and something is wrong, less than zero means something went wrong,
'probably an invalid recordset or incorrect cursor type)
numRecs = rs.RecordCount
if (numRecs = 0) then
	'An invalid user ID or password was entered
	response.write("The user ID or password entered were not valid, please try again.")
	'response.redirect("default.asp")
elseif (numRecs > 1) then
	'Too many instances of this username exist in the database
	response.write("Unable to locate the correct user ID, please report the following numbers to CMS:")
	response.write("<br><br>")
	do until rs.EOF
		response.write(rs.Fields("usrKey"))
		if (rs.AbsolutePosition < numRecs) then
			response.write(", ")
		end if
		response.write("&nbsp;")
		rs.MoveNext
	loop
elseif (numRecs < 0) then
	'Unknown error
	response.write("An unknown error has occured, please report this to CMS right away.")
else
	'Everything worked, store the user number (key field of user table)
	'as a session variable so it can be used in queries on other pages
	session("UserID") = rs.Fields("usrName")

	'Close the recordset & connection
	rs.close
	conn.close

	'Redirect to the next page
	Response.Redirect("menu.asp")
end if

'Close the recordset & connection
rs.close
conn.close
%>

Code for Checksession.asp (page is included at the top of each page within the web-app, makes sure you're still logged in.)

Code:

<% response.write("<font size=1>Connection Number:  " & session.SessionID & "</font>") %> 

<%
'Note - the "standard" extension for include files is ".inc", as in
'checksession.inc, but you should use .asp so if someone gets the file
'name they can't view or download it.

'Redirect to the login page unless a valid Session object exists for
'this user and the UserID session variable is not null.  This should
'also cause it to redirect after the session object expires.
if (session("UserID") = "") then
	response.redirect("default.asp")
else
	'Open a database connection
	set conn=Server.CreateObject("ADODB.Connection")
	conn.Provider="Microsoft.Jet.OLEDB.4.0"
	conn.Open(Server.Mappath("fpdb/database1.mdb"))

	'Create a default recordset
	set rs = Server.CreateObject("ADODB.recordset")
end if
%>

It's a settings problem on the server, there's nothing wrong with that code as far as I can see.

Just for giggles check the default timeout on the server:
response.write "Default Timeout is: " & Session.Timeout & " minutes."

Or try overriding the timout and see what happens:
Session.timeout = 30

I actually did that before I resorted to posting it on a forum asking for help (though, I'm glad I joined up here, I can already see I'm going to learn lots!) Anyway, I did do that, and it does print out 20.

When I took this to the server guy the first time, we looked at the Session Timeout (which is set at 20 minutes) and looked at the ASP Script Timeout (which is set at 90 seconds). I asked him about this in depth and he couldn't tell me why it wasn't the server configs and that I simply needed to re-check my code.

Talking to him last week, he admitted that he has two settings on the server - 1 destroys the session variable after 60 seconds, and the other maintains a session connection for 20 minutes. Last I knew, this was *NOT* possible. If you don't have a variable, you don't have a connection, right?

Do you finally find a solution ???