Multiple B2C strategies to protect different endpoints

In this post discusses several policies for the protection of B2C different endpoints that causes someone to log in again to more sensitive resources.

It sounds great and in the text this post was posted with examples from Facebook or Google.

I tried to implement this by setting two acceptable rules on one controller and one policy on the other.

And if you select a page with a less secure policy and login, and then you select a different page with a more secure policy, you will be asked to login again. So far so good.

But now the cookie contains a short expiration time for the secure policy, so you will be prompted to log back in after the cookie expires, even though your cookie from the less secure login is still valid. And your stuck login multiple times after a short interval of a more secure cookie.

How do I tell me to switch back to use the still valid old cookie (if it still exists)?

I thought about this and I'm not sure if the best way to deal with this is to check the claim issued at

in the authorization policy to see if it is recent enough, and if not, return it unauthorized so that they 'will be forced to login again. They will receive another long-lived token at this point, with a new expression issued at

, and they can go anywhere on the site.

Any ideas?

TIA