There are several things that can affect the length of the timeout and several places where you can set the length. IIS has its own default, and this can also be set on the site based on the site. You can also install it in your application code using session.timeout , as you suggested.
If you created a function to check for an active session, the function itself probably supports the session every time it starts. This is why you experience such long session timeouts.
A session automatically ends if the user does not request or refresh the page in the application within a certain period of time.
global.asa is a file that you can create and include in the root folder of your web application. If you need or need, then just create it.
The format should be something like this:
<script language="vbscript" runat="server"> sub Application_OnStart 'some code end sub sub Application_OnEnd 'some code end sub sub Session_OnStart 'some code end sub sub Session_OnEnd 'some code end sub </script>
To control the duration of a session, you can specify a value;
Sub Application_OnStart Session.Timeout = 30 '30 mins End Sub
One of the most accurate solutions that I have found and am using now would be to record the timestamp of the initial login and the timestamp of the last action for each specific user in the database or in the cookie. Then compare the current timestamp with the data stored to determine if the session should end. You can also use this type of method to automatically redirect the client to the login page after a set period of inactivity or displaying a message that says "your session has expired".