一直在做更多的挖掘这一点。在任何Web应用程序prevent会话固定攻击的***方法是发出一个新的会话标识符，当用户登录。

Have been doing more digging on this. The best way to prevent session fixation attacks in any web application is to issue a new session identifier when a user logs in.

在ASP.NET Session.Abandon（）不足以完成这个任务。微软状态 http://support.microsoft.com/kb/899918 认为：当你放弃会话，会话ID的cookie不从用户的浏览器中移除。 因此，只要会话已被放弃，到同一个应用程序的任何新请求都将使用相同​​的会话ID，但将有一个新的会话状态实例，

In ASP.NET Session.Abandon() is not sufficient for this task. Microsoft state in http://support.microsoft.com/kb/899918 that: ""When you abandon a session, the session ID cookie is not removed from the browser of the user. Therefore, as soon as the session has been abandoned, any new requests to the same application will use the same session ID but will have a new session state instance.""

一个bug修复已要求这在https://connect.microsoft.com/feedback/viewfeedback.aspx?FeedbackID=143361&wa=wsignin1.0&siteid=210#details

A bug fix has been requested for this at https://connect.microsoft.com/feedback/viewfeedback.aspx?FeedbackID=143361&wa=wsignin1.0&siteid=210#details

有一种变通方法，以确保新的会话ID是在 http://support.microsoft.com/kb/899918生成详细这就需要调用Session.Abandon然后清除会话ID cookie。

There is a workaround to ensure new session ids' are generated detailed at http://support.microsoft.com/kb/899918 this involves calling Session.Abandon and then clearing the session id cookie.

会更好，如果ASP.NET没有依靠开发商做到这一点。

Would be better if ASP.NET didn't rely on developers to do this.