Does Session ID rotation enhance security?

(I think) I understand why session IDs should be rotated when the user logs in - this is one important step to prevent session fixation.

However, is there any advantage t开发者_StackOverflow社区o randomly/periodically rotating session IDs?

This seems to only provide a false sense of security in my opinion. Assuming session IDs are not vulnerable to brute-force guessing and you only transmit the session ID in a cookie (not as part of URLs), then an attacker will have to access your cookie (most likely by snooping on your traffic) to get your session ID. Thus if the attacker gets one session ID, they'll probably be able to sniff the rotated session ID too - and thus randomly rotating has not enhanced security.

If you're using session identifiers stored in cookies, session fixation is not an issue. I skimmed through the paper you pasted and I see things like using DNS and XSS to own the user, which obviously are much greater (not to mention, separate) issues than session fixation. If you have the session identifier (with an acceptable level of entropy) stored in a cookie, there is no sane reason to rotate it. The only reason to rotate it would be because it's guessable or vulnerable in some other way, in which case the user gets owned anyways.

Sounds like a dumb idea overall.

It would totally screw up users if they hit the back button as the links on previous page would now include an out of date session id. You can also throw out any AJAX because each time a RPC is made to the server, all links/forms on the page require updating as they now have invalid values. If anything this is less secure because it means your application becomes more complicate and hass more chance to have a mistake in it.

If reasoning demands you "rotate" ids it probably means your ids are poorly generated, and that should be the thing that gets fixed. If snooping is a problem use SSL.

According to this SSL Labs blog post (from 2013), RC4 chiphers (still seen in the wild, 2017) is weak an may allow a black hat to expose session cookie data from intercepted HTTPS traffic (such as over wifi).

Rotating session cookie ID/data every x time units (minutes?), and after every y number of requests, is suggested in the blog post.

Web development isn't my thing, but is it possibly because the user logging in may be an attacker? For example, if I log in and get session ID 4, can I guess that session ID 5 will belong to some other user, modify my local cookie, and then act as that user?