440 Login Time-out

HTTP response status code 440 Login Time-out is an unofficial client error specific to the Microsoft IIS web server. The server returns this code when the client's HTTP session has expired and re-Authentication is needed.

Table of Contents

Usage

The 440 Login Time-out status code indicates the current HTTP session has expired. The client needs to authenticate again before making further requests. This code appears with Microsoft Exchange 2003, Microsoft Exchange 2007, and the Microsoft IIS web server.

SEO impact

Search engines like Google do not index a URL with 440 Login Time-out response status. URLs previously indexed with this code are removed from search results.

Example

An authenticated client sends a request after the session timeout period has elapsed. The IIS server responds with 440 Login Time-out to signal the session is no longer valid.

Request

GET /dashboard HTTP/1.1
Host: www.example.re
Cookie: ASP.NET_SessionId=abc123def456

Response

HTTP/1.1 440 Login Time-out
Content-Type: text/html
Content-Length: 142

<html>
  <head>
    <title>Login Time-out</title>
  </head>
  <body>
   <p>The session has expired. Log in again.</p>
  </body>
</html>

How to fix

Re-authenticate to obtain a new session. The expired session token is no longer valid, so the client must submit fresh credentials. Refreshing the page and logging in again re-establishes the session immediately.

Three IIS timeout settings interact and all need alignment to prevent premature session expiry.

The sessionState element in web.config controls how long session data survives in minutes. The default is 20 minutes:

<system.web>
  <sessionState timeout="60" />
</system.web>

The Forms Authentication timeout controls how long the authentication Cookie remains valid. Set this value equal to or greater than the session timeout to prevent the auth cookie from expiring before the session does:

<system.web>
  <authentication mode="Forms">
    <forms timeout="60" />
  </authentication>
</system.web>

The Application Pool idle timeout shuts down the worker process after a period of inactivity. If this value is lower than the session timeout, the pool recycles and destroys all sessions. Increase the idle timeout in IIS Manager under Application Pool > Advanced Settings > Process Model, or disable idle shutdown by setting the value to 0.

Verify the IUSR account is not locked out in Active Directory. A locked or expired IUSR account causes authentication failures resembling session timeouts.

Implement session Keep-Alive mechanisms for long-running operations. Periodic background requests (AJAX polling or a hidden iframe) to the server prevent the session from expiring during extended workflows.

Takeaway

The 440 Login Time-out status code is a Microsoft-specific client error sent when the client's HTTP session has expired and a fresh login is required.

See also

Last updated: March 5, 2026