OnValidateIdentity disables the MVC OWIN remember me option

Question

When I activate the OWIN logout-everywhere feature via security stamps and use the OnValidateIdentity-Callback of the CookieAuthenticationProvider with the SecurityStampValidator-class, the user is logged out every time he closes the browser.

provider.OnValidateIdentity =
    SecurityStampValidator.OnValidateIdentity<MyUserManager, MyUser>(
        System.TimeSpan.FromSeconds(10),(manager, user) => {
            return user.GenerateUserIdentityAsync(manager);                                                       
        });

However, when I do the plumbing myself (lookup and comparison of the security stamps, rejecting or renewing the identity) in the OnValidateIdentity-callback, everything seems to work fine.

Is this a known bug, or do I miss here something? Or is there a good documentation about the CookieAuthenticationProvider and the use of OnValidateIdentity?
Digging with google only shows me some simple samples, but gives no further insight.

Additional information

• I use an own implementation of the UserStorage which saves all the data in a database
• I noted that every page request calls two times the GetSecurityStampAsync of the UserStorage, wheras when I use my implementation, only one call is done.
• Installed Identity Version is 2.0.1

Answer 1

This is resolved in ASP.NET Identity 2.2. See https://aspnetidentity.codeplex.com/workitem/2319

Answer 2

This is basically a bug, the regeneration of the cookie should respect the current Remember Me option on the cookie. As a workaround, you can copy the OnValidateIdentity code and feed in the current context properties to flow the Persistent mode through:

context.OwinContext.Authentication.SignIn(context.Properties, identity);

Answer 3

I have found the following code in the disassembly of SecurityStampValidator.OnValidateIdentity:

// .. some other code
// ...
ClaimsIdentity claimsIdentity = await regenerateIdentityCallback(userManager, tUser);
if (claimsIdentity != null){
context.get_OwinContext().get_Authentication().SignIn(new ClaimsIdentity[]
    {
       claimsIdentity
    });
}

It seems to me, that the SignIn-operation is incomplete and should set the remember-me option? Therefore I assume that the implementation of SecurityStampValidator is buggy.