In web.config, I set timeout in the sessionState to 20 minutes. According to MSDN, this timeout specifies the number of minutes a session can be idle before it is abandoned. In IIS 7, DefaultWebSite->Session State->Cookie Settings->Time Out automatically is populated with timeout value set in web.config, which in my case is 20 minutes. Also, Application Pools->DefaultAppPool->Advanced Settings->idleTimeout, I set it to 10 minutes.
Then I made two tests: First test: I logged in my web app at 3:45pm, idling for 10 minutes. At 3:55pm, I tried to use my app, I got kicked out. I think the idleTimeout comes in play.
Second test: I logged in my web app at 4:00pm, play with the app at 4:05pm, 4:10pm, 4:15pm and 4:20pm. I expected being kicked out at 4:20pm. But I was not. I thought the session state timeout (20min) in IIS 7 is the the maximum amount of time a user session can be active before the Web Agent challenges the user to re-authenticate. Apparently from this test, it is not. Can anyone explain that to me? Also, how could I set the timeout for above case?