I have a website that's using forms authentication and membership. A user must have cookies enabled to use the site. I've been asked to change the code so that the session id is changed as soon as a user logs in. Aparently this will protect against a Session Fixation attack (http://en.wikipedia.org/wiki/Session%5Ffixation). Does anyone know how I can change the session id without losing the whole session ? PHP has a specific method for doing this but I can't find a .NET equivalent.
+1
A:
Here's a blog post that talks about this:
ASP.NET does not directly support functionality to regenerate a session ID. See the documentation regarding the issue here. There is a not-so quick and dirty way to do it by setting the
ASPNET_SessionIDvalue to the empty string and redirecting so that the value is regenerated.
Druid
2009-09-14 03:02:10
i aslo think about this, but after regenerate that ,all the object in session object will lose...
MemoryLeak
2009-09-14 03:05:22