Session timeout can also be set on a per-session basis in the application, and there are other reasons for sessions timing out.

In ASP-classic (Which I assume is what you're referring to), sessions are held in memory in the space of the web application. In the event that the web application is reset, all sessions are wiped (This is determined by IIS seemingly arbitrarily, but may be affected by use of IIS manager or scripts modifying the metabase with ADSI).

In ASP there is no provision for retaining session data across IIS application resets (e.g. machine reboot, IIS service restart, or IIS just resetting the application because it feels like it).

If you're on shared hosting, you will find this unmanageable, as the hosting provider will doubtless use scripts which poke ADSI in ways which cause IIS resets at unpredictable regular intervals.

Another possible cause of IIS resetting is that it's crashing. If that happens, evidence should be visible on the NT error log.

Slarty