We have several applications built in .NET Framework 4.7.2 that uses .NET Identity for authorisation and authentication. I am trying to implement a session timeout, in line with OWASP recommendations.
An initial search through online material suggests adding a sessionState attribute to the web.config file. I have tried
<configuration>
<system.web>
<sessionState timeout="2" />
</system.web>
</configuration>
but this seems to have no effet (the low value of 2 minutes is for testing purposes).
I am supposing that there is a particular way of doing this with .NET Identity / OWIN, such as calling a session invalidate function somewhere but can find no details of how to do this.
I am also not sure what is to be expected by the timeout. Should the page redirect to the login page? Would there not be a problem if the application does not forbid page caching?
Could anyone offer some more detailed advice.