It turns out that any application that is PCI compliant must have a maximum session life of no more than 15 minutes of inactivity.

Andy Warhol's old standard may rear its head at Web.config like so:

<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424"
      sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
      cookieless="false" timeout="15" />

 
 

This touches on the four modes. The InProc option is going to drop sessions whenever the appPool refreshes.