That's exactly how it is supposed to work. Login should only persist for the session (the tab window). This is the best practice for security and should be the default for every site you visit. Every time the user returns to your site they should have to log in.
Imagine if you don't do this. A malicious user gains access to the user's machine, opens their browser and goes to the URL of your site. They are logged in so they can do whatever the user could do. Making login a one-time feature mostly defeats the purpose of having a login. Note that on a public computer (such as in a library) if the user went to your site and logged in then closing the browser would be how they "log out". If you didn't log them out then anyone else using that machine would be logged into their account.
There ae sites that might offer to cache your credentials but this should only be done for sites where sensitive data isn't stored. For example you would never do this on a financial site. Some sites, including some MS sites, might even allow you to use your cached MS credentials but they require a "login" when you attempt to change sensitive data. This is overkill for many sites but useful if you really, really don't want a user to log in again. But in each case the site generally offers to remember the credentials so the user has a choice.
As for how to enable the user to persist their login across sessions then you need to adjust your call to SignInAsync
to pass a third parameter of AuthenticationProperties. Set the IsPersistent
property to true. You should also strongly consider setting the ExpiresUtc
as well so it doesn't persist forever though.
In terms of your logout functionality, you should never assume it is called. Logout would only occur if the user explicitly logged out and should be used to clean up resources. However if the user closes the browser then it won't trigger a logout. Honestly there is no reliable way of knowing when a user has stopped their browsing session. There are client side things you can do but ultimately a power outage, forced close of the browser and other scenarios will override all this.