How can I implement these scenarios using forms authentication?
If the user is Inactive for 40mins, he has to be logged out completely.
If the user has to enter password; he is essentially logged out. You can set session timeout to 20.
However if you really want to differentiate between the two you can update session item with last time user made a request. Set the session time out to 40 minutes. At any given time if the session last update entry is older than 20 minutes ask him to enter password again.
See the following for executing code before every request in MVC