OnValidateIdentity disables the MVC OWIN remember me option

Question

When I activate the OWIN logout-everywhere feature via security stamps and use the OnValidateIdentity-Callback of the CookieAuthenticationProvider

Answer 1

I have found the following code in the disassembly of SecurityStampValidator.OnValidateIdentity:

// .. some other code
// ...
ClaimsIdentity claimsIdentity = await regenerateIdentityCallback(userManager, tUser);
if (claimsIdentity != null){
context.get_OwinContext().get_Authentication().SignIn(new ClaimsIdentity[]
    {
       claimsIdentity
    });
}

It seems to me, that the SignIn-operation is incomplete and should set the remember-me option? Therefore I assume that the implementation of SecurityStampValidator is buggy.

Answer 2

This is resolved in ASP.NET Identity 2.2. See https://aspnetidentity.codeplex.com/workitem/2319

Answer 3

This is basically a bug, the regeneration of the cookie should respect the current Remember Me option on the cookie. As a workaround, you can copy the OnValidateIdentity code and feed in the current context properties to flow the Persistent mode through:

context.OwinContext.Authentication.SignIn(context.Properties, identity);