My web app hosted in free azure web app has a strange issue where the user need to re-login again even during active usage
The code to login is
signInManager.PasswordSignInAsync(username, password, rememberMe, true);
even with rememberMe being set to true, user still need to relogin
Some google said that it could be machine key issue but I don't think azure moved my free instance to anothe machine so often.
I restarted the instance for to test and the cookie still working.

If I look to chrome, cookie should expires when browsing session end but that is not the case.
At this stage Im not sure where to look other than it could be a bug in identity cookie implementation or its due azure free web instance
Is this the reason? 30 minutes?

Testing again with rememberMe set to true
Expired in the next 2 weeks, lets see

ok identity cookie gone after 30 minutes even rememberMe being set to true
this thread say something about securityStamp
https://github.com/aspnet/Identity/issues/900
testing with this code
services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromMinutes(1));
Authentication indeed gone after 1 minute! Nice new feature eh, not even in the documentation
https://github.com/aspnet/Identity/issues/999
https://github.com/aspnet/Identity/issues/1478
What is the security impact setting ValidationInterval to 2 weeks?
Just means if you were to change a user's role, or remove the ability for a particular user to login, it wouldn't take effect until after 2 weeks (i.e. the maximum time a stale cookie can be used is the validation interval).
Is this intended feature?
I think what people expect is that the authentication login should be as long as
Change a user's role or remove the ability for user to login should be direct effect
It will be crazy that we need to wait 30 minutes
Now I have to set it to 2 weeks, it will be even crazier otherwise my user need to re-login every 30 minutes which is not acceptable business case
Something is not right here...
This is intended. You can hook into the cookie middleware ValidatePrinciple event - https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2x#reacting-to-back-end-changes
Most helpful comment
Is this intended feature?
I think what people expect is that the authentication login should be as long as
Change a user's role or remove the ability for user to login should be direct effect
It will be crazy that we need to wait 30 minutes
Now I have to set it to 2 weeks, it will be even crazier otherwise my user need to re-login every 30 minutes which is not acceptable business case
Something is not right here...