Support configurable cookie expiration

[lmsurpre]

The current implementation adds a cookie without an expires value, which means it will be valid until the end of the session (e.g. when the user closes their browser).

In our case, we'd like to be able to control when the user must re-authenticate, similar to https://stackoverflow.com/q/50728337/161022

[jonlester]

Implementation should allow the cookie expiry timespan to be set, and if set slidingexpiration will be disabled as well. This will result in the user being redirected back to the IdP on the first request after the cookie expires. It should be transparent to the user since they are already logged into AAD. This could cause some problems for a SPA application that's using cookies, if the redirect can't be handled by the client. We'll need to note this.