为什么我每次必须通过此身份验证过程重新登录

Question

我在Startup.cs中使用以下配置设置了ASP.Net Core 3.0 Web服务器：

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddHttpContextAccessor();
        services.AddControllers();

        services.AddIdentityServer(options =>
            {
                options.Authentication.CookieSlidingExpiration = true;
                options.Authentication.CookieLifetime = TimeSpan.FromDays(30);
            }
        )
        .AddInMemoryCaching()
        .AddClientStore<InMemoryClientStore>()
        .AddResourceStore<InMemoryResourcesStore>();

        services.AddAuthentication();
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseHsts();
        }

        app.ConfigureExceptionHandler();

        app.UseHttpsRedirection();
        app.UseFileServer();

        app.UseRouting();

        app.UseIdentityServer();
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }

您可以看到我将cookie的生存期设置为30天。

这是我使用用户名/密码登录时运行的代码：

    [HttpGet("Signin")]
    public async Task<ActionResult<AccountResponse>> Signin([FromQuery]string email, [FromQuery]string password)
    {
        var (account, status) = accountRepository.AuthenticateAccount(email, password);
        if (status == AccountRepository.AuthenticateAccountStatusEnum.InvalidEmailPassword)
            return new ResponseBuilder<AccountResponse>().WithError("Invalid email/password").Build();
        else if (status == AccountRepository.AuthenticateAccountStatusEnum.AccountExternalProvider)
            return new ResponseBuilder<AccountResponse>().WithError("This email is not associated with a local account.").Build();
        else if (account.Status == AccountStatusEnum.WaitingForVerificationCode)
            return new ResponseBuilder<AccountResponse>(Mapper.Map<AccountResponse>(account))
                .WithMessage("This email address is still not verified.")
                .Build();
        else
            return await CompleteLogin(account);
    }

    private async Task<AccountResponse> CompleteLogin(AccountModel account)
    {
        await HttpContext.SignInAsync(account.Email, account.Email, new AuthenticationProperties { IsPersistent = true, ExpiresUtc = DateTime.UtcNow.AddDays(30) });

        return Mapper.Map<AccountResponse>(account).WithAuthenticated();
    }

您可以看到我再次将有效期设置为30天，并将IsPersistent设置为true。

所有这些都很好。如果我登录并关闭浏览器并重新打开，则它仍已通过身份验证。

唯一的错误是，如果我登录并让时间流逝，比如说晚上，我会刷新页面并且不再进行身份验证。

我想念什么？我希望用户长时间保持身份验证（即使他关闭浏览器，重新启动等）。

编辑：

这是我从浏览器中看到的cookie：

看起来还不错...请注意，该Cookie信息来自“已登出”（很奇怪？）的浏览器会话。