There’s a few examples of this around… The example in the WIF book doesn’t take into consideration the clock skew.
Here’s one that does:
public class SlidingSessionAuthenticationModule : SessionAuthenticationModule { protected override void OnSessionSecurityTokenReceived(SessionSecurityTokenReceivedEventArgs args) { var sessionSecurityToken = args.SessionToken; var now = DateTime.Now; var validTo = sessionSecurityToken.ValidTo.Add(ServiceConfiguration.MaxClockSkew); if (now < validTo) { var timeout = sessionSecurityToken.ValidTo - sessionSecurityToken.ValidFrom; var window = TimeSpan.FromSeconds(timeout.TotalSeconds / 2); var renewalTime = sessionSecurityToken.ValidTo.Subtract(window); if (now > renewalTime) { args.SessionToken = CreateSessionSecurityToken( sessionSecurityToken.ClaimsPrincipal, sessionSecurityToken.Context, now, now.Add(timeout), sessionSecurityToken.IsPersistent); args.ReissueCookie = true; } } base.OnSessionSecurityTokenReceived(args); } }