ASP.NET expired session IDs are not regenerated
Description
This web application has the sessionState property regenerateExpiredSessionId set to false which indicates that expired session IDs will not be regenerated. Session IDs are tokens generated by web applications to uniquely identify an application user's session. When a user logs out, the web application must invalidate the current session ID so they cannot be used anymore.
Remediation
It's recommended to set the <strong>sessionState</strong> property <strong>regenerateExpiredSessionId</strong> to <strong>true</strong>. <pre> <sessionState ... regenerateExpiredSessionId="true" /> </pre>