I am building an app, which is a Javascript SPA with Asp.net mvc controllers in the backend. I am trying to use IdentityServer for authentication. I have authorize attribute on my controllers. One of the requirements I have is that the user's session should be expired in a certain amount of time(if no activity, user should be prompted to login). The implicit flow does not work for me because of security restrictions. I grabbed the Identity4 samples https://github.com/IdentityServer/IdentityServer4.Samples and tried using the cookieauthentication middleware, setting the ExpireTimeSpan to see if that expires the cookie. Somehow even after the expiration of the timespan specified, I am still able to make a call into the controllers. How can I accomplish something similar to a asp.net session timeout with Identity Server and Asp.net mvc?