=== on 19 Jan 2021, 10:51:22 Costin Zaharia wrote:
As far as I can tell this rule does not apply to *ASP.Net* and *ASP.Net Core* where the session id cannot be changed. According to https://owasp.org/www-community/controls/Session_Fixation_Protection[OWASP]:

____
Unfortunately, some platforms, notably Microsoft ASP, do not generate new values for sessionid cookies, but rather just associate the existing value with a new session. This guarantees that almost all ASP apps will be vulnerable to session fixation, unless they have taken specific measures to protect against it.

____