What's a good strategy for renewing the expiration of a forms auth ticket between .net and php?

Question

I'm creating an application that will get the contents of a cookie storing a forms authentication ticket from .net. That part is done. In that ticket is an expiration time, by default 20 minutes.

So the scenario is, a user logs in and is validated on the .net side. Then they are redirected to my PHP app. I get the username, ticket expiration, etc.

What is the best way to go about renewing the ticket as the user stays active on my app? Here are two possible approaches, I'm sure there are more:

1. At 10 minutes away from expiration and if the user is still active, a .net web service is contacted to issue me a new ticket with a new expiration. When the page is idle for 20 minutes, the user is redirected to the original .net login.

2. PHP takes care of the expiration with a cookie on its side. When it approaches 10 minutes and the user is still browsing it refreshes. But when the page is idle for 20 minutes, the user is redirected back to the original .net login.

Other suggestions? Pros, cons to either of these? I'm looking for both speed and security.

Answer 1

I'll assume from your question that you're not using persistent cookies and that you're using sliding expiration. If you intend on trying to replicate the same behavior in php then you might want to take a look at this.

Let us take an example: If the logon page is accessed at 5:00 00:00:00 PM, it should expire at 5:10 00:00:00 PM if the timeout attribute is 10 and the slidingExpiration attribute is set to TRUE. Now, if any Web page is browsed again at 5:05 00:00:00 PM, the cookies and ticket time-out period will be reset to 5:15 00:00:00 PM.

Basically you would update the cookie's expiration time whenever the user accesses one of your php pages.

Another option is to embed something like an IFRAME in your pages which would pull down an .aspx from your .net site. This will have the effect of "refreshing" the cookie.