Why log out sooner than ExpireTimeSpan in asp.net identity?

Question

I am working on an asp.net mvc application that used asp.net identity.
In Startup.Auth.cs file I set ExpireTimeSpan to 20 days but when I log in to my app, sooner than 20 days my app is logged out and I have to log in agian!

Startup.Auth.cs

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, User>(
            validateInterval: TimeSpan.FromMinutes(0),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    },
    ExpireTimeSpan = TimeSpan.FromDays(20),
    SlidingExpiration = true
});

And in Login action:

var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: true);

---

Update
When I log in, .AspNet.ApplicationCookie is generated and it's expire date is set to "20" days later, And when I open site next day, I am logout but the cookie is exist.

What is the cause of this problem?
Thanks in advance.

Answer 1

Here are the few reasons for logging out sooner than expected:

• Having multiple web apps on the same domain and all of them have the same cookie name (cookie name collisions). In this case app A overwrites app B's cookies.

• When validateInterval is set to zero/TimeSpan.FromMinutes(0), all calls to UpdateSecurityStamp will force the user to logout and login again immediately, including UserManager.CreateAsync, UserManager.RemovePasswordAsync, UserManager.UpdatePassword, UserManager.RemoveLoginAsync, UserManager.ChangePhoneNumberAsync/SetPhoneNumberAsync, UserManager.SetTwoFactorEnabledAsync, UserManager.SetEmailAsync. Which means if you update the user's properties, UpdateSecurityStamp will be called.

• If you update the .NET framework on the server, it will overwrite the machine-key too. changing that will mark all of the issued cookies as invalid. The Machine-Key is a set of keys used to encrypt and decrypt the cookies. If you are running behind a load balancer you will want to ensure that the web farm is using a consistent machine-key.
• If you are storing too many user-claims with your cookies, they will become large (larger than ~5K) and some browsers will reject them. so check out the size of the issued cookie.
• Users can set their browser to delete the cookies when they close it (private browsing).