asp.net - Replace FormsAuthentication with SessionAuthenticationModule (SAM) to make Claims Aware identity -

i have existing mvc4 app (.net 4.5) using formsauthentication i'm looking switch using sessionauthenticationmodule can claims aware identity both easy of additional data identoty , first step migrating performing authentication via wif (windows identity foundation) sts (security token service) service adfs (active directory federation services), that's later down road.

my question is, determines timeout when user authenticated using sessionauthenticationmodule?

i used this page authentication working, , seems work fine. authentication looks this.

snippet login action method

var personid = securityservice.authenticateuser(model.login, model.password);  if (!personid.isempty()) {     authenticationservice.signin(personid, model.rememberme);     if (url.islocalurl(model.returnurl))         return redirect(model.returnurl);     else         return redirecttoaction("index", "home"); } 

authenticationservice.signin()

public void signin(guid personid, bool createpersistentcookie) {     var login = securityservice.getloginbypersonid(personid);     if (string.isnullorempty(login.name)) throw new argumentexception("value cannot null or empty.", "username");      var claims = loadclaimsforuser(login.name);     var identity = new claimsidentity(claims, "forms");     var claimsprincipal = new claimsprincipal(identity);     var token = new sessionsecuritytoken(claimsprincipal, ".cookiename", datetime.utcnow, datetime.utcnow.addminutes(30)) { ispersistent = createpersistentcookie };     var sam = federatedauthentication.sessionauthenticationmodule;     sam.writesessiontokentocookie(token); } 

authenticationservice.loadclaimsforuser()

private ienumerable<claim> loadclaimsforuser(string username) {     var person = securityservice.getpersonbyloginname(username);     if (person == null)         return null;      var claims = new list<claim>();     claims.add(new claim(claimtypes.nameidentifier, person.personid.tostring()));     claims.add(new claim(claimtypes.name, username));     /* .... etc..... */ } 

but there concern had want retain behavior of sliding expiration user not prompted re-login when login expires, upon working on problem noticed can't find out determines how long stay logged in @ all. i've set session timeout, forms timeout , validto parameter on sessionsecuritytoken constructor 1 minute, after elapses, i'm still able access site. cookie appears in browser expiry date of "session", i'm not sure why if cookie valid session shouldn't token, identity or whatever want call expire after 1 minute , force user log in?

i had similar issues once, here question containing approach invalidate cookies upon token expiration

how set timeout when federating adfs 2.0

adding bit of different logic gives sliding expiration

http://brockallen.com/2013/02/17/sliding-sessions-in-wif-with-the-session-authentication-module-sam-and-thinktecture-identitymodel/

web.config - setting maxclockskew

<system.identitymodel>   <identityconfiguration>     <securitytokenhandlers>       <securitytokenhandlerconfiguration maximumclockskew="0">         </securitytokenhandlerconfiguration>     </securitytokenhandlers>   </identityconfiguration> </system.identitymodel>