How do I set the sliding expiration for a cookie that isn't managed by ASP.NET?

Question

My ASP.NET application manages two cookies: the standard auth cookie issued and managed by FormsAuthentication, and another cookie that enables single-sign on with a non-Windows/ASP.NET system.

The ASP.NET application is configured to enable a sliding expiration for the auth cookie via web.config:

<authentication mode="Forms">
    <!-- forms attributes removed for brevity -->
    <forms name=".ASPXAUTH" slidingExpiration="true" /> 
</authentication>

Unfortunately, sliding expiration only changes the auth cookie and not the SSO cookie. Is there an event I can subscribe to so that I may be notified when the auth cookie's expiration time is extended?

Alternatively, can I also emulate this behavior by intercepting each valid request to the app and extending the cookie manually? If so, which method must I implement to intercept such requests for any controller?

Answer 1

The auth cookie sliding expiration resets the expiration time if a request is made and more than half of the timeout interval has elapsed. So mimic this functionality.

When a user makes a request, check to see if more than half of the timeout interval has elapsed. If it has, then reset the expiration time for the SSO cookie.

This may get tricky because you can't get the expiration value from a cookie. If your SSO cookie doesn't have a key/value for the expiration date (not the Expires property of HttpCookie), then you'll need to add it. If you can't alter that cookie beyond just changing when it Expires, then possibly just setup a 3rd cookie to track when the SSO cookie will expire.