I’m using the Windows Identity Foundation (WIF) Security Token Service (STS) to handle authentication for my application which is working all well and good. However I can’t seem to get any long running login with the STS.

From my understanding I shouldn’t care about the client tokens at the application level since they can expire all they want to and it should redirect me to the STS and as long as they’re still logged in on the STS it should refresh their application token. Yet it doesn’t seem to want to keep them signed in.

Here’s what occurs in my login.aspx on the STS

var cookie = FormsAuthentication.GetAuthCookie(userName, persistTicket);

if (persistTicket)
    cookie.Expires = DateTime.Now.AddDays(14);

Response.Cookies.Add(cookie);

var returnUrl = Request.QueryString["ReturnUrl"];
Response.Redirect(returnUrl ?? "default.aspx");

Which was taken almost directly from existing application using normal Forms Auth.

From my web.config

<authentication mode="Forms">
      <forms loginUrl="Login.aspx" protection="All" timeout="2880" 
      name=".STS" path="/" requireSSL="false" slidingExpiration="true" 
      defaultUrl="default.aspx" cookieless="UseDeviceProfile" 
      enableCrossAppRedirects="false" />
</authentication>

Looking at the cookie after I sign in I can see the expires time on the cookie is set for 14 days in the future and that the cookie is NOT a session cookie.

When I’m required to log back into the STS I can see that my original cookie is still there.

Is there some kind of time stamp functionality that the STS embeds into the cookie that is invalidating my cookie even though as far as I know it should still be valid?