On the OWASP web site one of their top ten items states that we should consider regenerating a new session upon successful authentication or privilege level change.
What would be the correct way of doing this?
One thing a co-worker has told me but I haven't tested is that when a user uses browser tabs each tab does not get it's own session, so I think that would negate the whole exercise.
Thanks, Paul Speranza