The current Microsoft.Owin.Security.Cookies middleware lets you select from either sliding or absolute expiration. It would be nice to allow for both - a short sliding expiration to handle timing out inactive users, but also an absolute expiration to handle
maximum allowed session length before requiring re-authentication.
The only way to handle this currently is
outlined in this blog article
- modifying the cookie authentication provider to add custom data for the absolute expiration and having it enforced there.
It would be nice to have first-class support for this rather than having to hack it in every time.