Unlike the common understanding that,the maximum limit for session time out is 90 minutes it is 525,600 minutes -- i.e., 365 days x 24 hours x 60 min ...
In order to avoid script injection attacks(where forms are used as a way that hackers tried to break in to Microsoft systems through applications. ) .NET has added strong monitoring to form data entry that will sniff out "potentially dangerous"...