The Forms Authentication Timeout value sets the amount of time in minutes that the authentication cookie is set to be valid, meaning, that after
value number of minutes, the cookie will expire and the user will no longer be authenticated i.e., he will be redirected to the login page automatically. The
slidingExpiration=true value is basically saying that after every request made, the timer is reset and as long as the user makes a request within the timeout value, he will continue to be authenticated.
If you set
slidingExpiration=false the authentication cookie will expire after
value number of minutes regardless of whether the user makes a request within the timeout value or not.
<forms loginUrl="~/Auth/SignOn.aspx" timeout="40" slidingExpiration="true" />
SessionState timeout value sets the amount of time a Session State provider is required to hold data in memory (or whatever backing store is being used, SQL Server, OutOfProc, etc) for a particular session. For example, if you put an object in Session using the value in your example, this data will be removed after 30 minutes. The user may still be authenticated but the data in Session may no longer be present. The
Session Timeout value is always reset after every request.
<sessionState timeout="30" />