How to fix HTTP 440 Login Time-Out?

Redirect to login page: Catches the 440 response and redirects the user to re-authenticate.

440

HTTPERRORNotable4xx Client Error (Unofficial)HIGH confidence

Login Time-Out

Production Risk

Low — expected behaviour for session timeout on IIS. Handle by redirecting to login.

What this means

440 Login Time-Out is a Microsoft IIS extension used to indicate that the client's session has expired and the user must log in again. It is returned when a user's authenticated session times out on an IIS server.

Why it happens

1The user's session on the IIS server has expired due to inactivity.
2The authentication cookie or token has exceeded its configured lifetime.
3The server-side session was invalidated (e.g., server restart, session store flush).

How to reproduce

A user leaves an IIS-hosted web application idle for longer than the session timeout period and then tries to perform an action.

trigger — this will error

POST /account/update HTTP/1.1
Host: intranet.company.com
Cookie: ASP.NET_SessionId=expired_session_id

expected output

HTTP/1.1 440 Login Time-Out

Fix

Redirect to login page

WHEN You are building an ASP.NET application on IIS.

Redirect to login page

// In Global.asax or middleware
if (response.StatusCode == 440) {
    Response.Redirect("/login?reason=timeout");
}

Why this works

Catches the 440 response and redirects the user to re-authenticate.

What not to do

✕ Do not treat 440 as a generic 401

440 specifically means session timeout, not invalid credentials — the error message to the user should differ.

Version notes

IIS

Microsoft IIS-specific. Not part of any IETF standard.

Sources

Official documentation ↗

Microsoft IIS documentation

https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#440 ↗

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformHTTP Status Codes

Code440

Class4xx Client Error (Unofficial)

SeverityERROR

TierNotable

ConfidenceHIGH

← All HTTP errors