It is my understanding, according to the MSDN, that regenerateExpiredSessionId="true" specifies that the session ID will be reissued when an expired session ID is specified by the client. However, this does not seem to be working as described.
Let's say you have an application configured as follows:
<sessionState
cookieless="AutoDetect"
regenerateExpiredSessionId="true" />
And somewhere else, you have a link to a page in that application in which an expired session ID is embedded:
<p><a href="http://localhost/SessionStateTest/(S(3gxng155isp0ocvhveoklnqe))/Default.aspx">Here is a link!</a></p>
If a browser in which cookies are not enabled clicks on that link, the session ID is not reissued. It is recycling the expired ID from the URL and creating the new session with this old ID.
Of course, if several no-cookie browsers click on the link simultaneously, they ALL share that same expired session ID, which is obviously a security issue.
Isn't regenerateExpiredSessionId="true" supposed to prevent users from inadvertently sharing the same session state? If so, why isn't the framework generating new session IDs as expected in this case?