Administration: Configure authentication expiration

There are several cookies and tokens used by Sitefinity, each of them having different expiration time. Use the following procedures to configure it:

This is the cookie used for the authenticated user on the Relying party (.AspNet.Cookies).
To configure it, perform the following:

1. Navigate to Administration » Settings » Advanced.
2. In the left pane, expand Authentication and click RelyingParty.
3. If you want to enable or disable sliding expiration, use the Authentication cookie sliding expiration checkbox.
   By default this setting is enabled.
4. You can also change the default expiration time in Authentication cookie expiration time input field.
5. Save your changes.

This is the cookie used for the authenticated user on the Secured Token Service (idsrv).
To configure it, perform the following:

1. Navigate to Administration » Settings » Advanced.
2. In the left pane, expand Authentication and click SecurityTokenService » IdentityServer.
3. Change the default expiration time from the Cookie remember me duration input field.
4. Save your changes.

IdentityServer3 provides four types of tokens: Identity token, Access token, Refresh token, Authorization code. Their expiration times are configured per client application. To configure them, perform the following:

1. Navigate to Administration » Settings » Advanced.
2. In the left pane, expand Authentication » SecurityTokenService » IdentityServer » Clients.
3. Choose the client you want to configure.
4. Configure the tokens:
   • Identity token lifetime.
     Default is 300 seconds (5 minutes)
   • Access token lifetime.
     Default is 3600 seconds (1 hour)
   • Refresh token
   • Refresh token expiration - choose from Sliding or Absolute
   • Sliding refresh token expiration.
     Default is 1296000 seconds (15 days)
   • Absolute refresh token expiration.
     Default is 2592000 seconds (30 days)
   • Authorization code lifetime.
     Default is 300 seconds (5 minutes)
5. Save your changes.