Question:
How do I get Classic ASP to change the session ID after the user logs in?
Background:
One of our clients ran a security audit against our web site. So far, we've been able to resolve all the issues they reported. However, there's one security issue that I'm not sure how to solve, mostly because I've never worked with Classic ASP before. When the user goes to our web site, classic ASP creates a session and sets a session ID in a cookie. When the user logs in, instead of changing the session ID now that the user has been authenticated, the session ID remains the same. This is considered a security flaw to use the same session ID after authentication. (See http://shiflett.org/articles/session-fixation for information from a PHP perspective.)
So, here's my question: How do I get Classic ASP to change the session ID after the user logs in? SessionID is read-only property, and there doesn't seem to be a method to regenerate this ID.