Description

This web application has the sessionState property regenerateExpiredSessionId set to false which indicates that expired session IDs will not be regenerated. Session IDs are tokens generated by web applications to uniquely identify an application user's session. When a user logs out, the web application must invalidate the current session ID so they cannot be used anymore.

Remediation

It's recommended to set the sessionState property regenerateExpiredSessionId to true.

 <sessionState ... regenerateExpiredSessionId="true" />

References

Related Vulnerabilities