Is regenerating the session id after login a good practice?

Question

I'm wondering if regenerating the session id after a successful login really a good practice and not just sort of a cargo cult behavior.

If I understand the theory correctly it should prevent session hijacking (or at least make it harder), but I can't really see that if someone could steal the pre-login session what would stop the phisher doing it again with the regenerated one.

I'm not focusing on Spring (I don't even use Java currently), I'm interested in the pros and cons.

Answer 1

Yes. You should regenerate the session on login, to help defend against session fixation and login CSRF.

See OWASP's recommendation for more.

Answer 2

You regenerate to prevent session hijacking when the pre-login is http and the post-login is https. That is what stops the attacker doing it again with the regenerated one.

It is relatively easy to steal a session identifier for an http session, assuming you are near the victim, or in the path somewhere, or have phished etc - and if this session identifier is also viable in the encrypted session it can make the attacker's job quite easy.