This is indeed strange. However I couldn't reproduce it locally. Refreshing the second browser never caused automatic login to happen. By the way I added this code to reduce the session timeout.
I inserted it just before var app = builder.Build(); in Program.cs.
The login is entirely relying on the built-in ASP.NET Core Identity. You can try debugging the application to see when the CurrentUser method of the AccоuntController class is called.
I have debug many time in other new project. It the same.
Refreshing the web browser for a logged-in user who has been inactive for a long time (approximately 20 to 60 minutes and not close browser) will make all sessions as this user for a duration of 2 minutes.
CurrentUser method always return user 'a@gmail.com' duration of 2 minutes affter refresh browser.
I can't reproduce this behavior in local tests. Maybe I am missing something. Please try with the suggested code to reduce the session expiration and see if you can reproduce this in a more predictable manner.
I conducted further research and managed to reproduce the problem. It seems to be related to session sliding expiration and the default cookie caching done by HttpClient.
When the user logs in one browser and then opens http://localhost:5001 in another browser everything is fine. If however some time before the session expires browser 1 is refreshed something happens in ASP.NET internally and the cached cookie from browser 1 is reused in browser 2. I tested with 30 second session with sliding expiration enabled:
Setting UseCookies to false seems to solve the problem. At least I wasn't able to reproduce it for more than 2 hours of testing.
The solution is this:
builder.Services.AddHttpClient("AppName") // "AppName" is your application name and will be different
.ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
{
UseCookies = false // <-- disable cookie caching
}).AddHeaderPropagation(o => o.Headers.Add("Cookie"));
Let me know if this fixes the issue for you. To avoid waiting for the entire session interval reduce it to a shorter interval.