I'm building a central authentication service(auth.xyz.com), similar to what Google has on accounts.google.com. I have multiple applications, each running on a different subdomain(app1.xyz.com, app2.xyz.com) which will be integrating with my auth service.
I am currently following a cookie based system, written on ".xyz.com" domain, so that it is readable by all the subdomains.
My problem is that I cant figure how to handle the cookie expiry. If the user logs in at time t, and spends 45 mins on app1.xyz.com, and then goes to app2.xyz.com, I dont want him to have to login again. Also, if the user logs in on app1.xyz.com and is then idle for 45 mins, and then hits app2.xyz.com, I want him to have to relogin. How can I achieve this?
I dont want to touch the auth server on every request I get on app1 or app2.
