WIF session token set through SessionAuthenticationModule lifetime

Question

Please help me to understand the concept of expiry time for sessiontoken.

Below is the way I am setting the session token after receiving the token from STS.

var   principal = validationfunction();//returns claimsprincipal
            if (principal != null)
            {
                var token = new SessionSecurityToken(principal.ClaimsPrincipal)
                {
                    IsReferenceMode = false

                };

                //this makes sure that the identity and claims are written to the cookie.
                FederatedAuthentication.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(token, true);
            }

Please confirm if this is true or not:

1. if the token lifetime is 10 mins. if user is inactive for 10 mins and doesnt send any request to website it the session token expires and its redirected to STS login page.

2. if user is active and keep refreshing the page/visits different page the sessiontoken lifetime gets
   refreshed . it means everytime the user visits the page the token gets new expiry value. So user will not be redirected to login page every 10 mins.

3. if user requests a STS protected resource (web api) , the life time of token is treated absolute. Meaning regardless user is active or not, after 10 mins of token generated if the user requests web api , the token will be invalid and redirected to STS login page.

are the above concepts correct?

Answer 1

1. You need to set the token lifetime yourself. The default is IIRC - 10h. When the token has expired and you are accessing a protected resource, the application will emit a 401. If you have the WsFed modue - this will result in a roundtrip to the STS

2. Session security tokens are absolute expiration by default

3. You wouldn't use a cookie to secure a Web API - a redirect does not make sense for APIs (nor does cookie authentication).