Is it possible to generate a new ID for the session using ASP.NET?

I want it to change when someone logs in to my website just before I set their initial session variables.

You can do this using the SessionIdManager class:

SessionIDManager manager = new SessionIDManager();

string newID = manager.CreateSessionID(Context);
bool redirected = false;
bool isAdded = false;
manager.SaveSessionID(Context, newID, out redirected, out isAdded);

[Code sample is from Anas Ghanem's article]

you can use

SessionIDManager.CreateSessionID Method : returns a unique session identifier that is a randomly generated number encoded into a 24-character string.

Code

SessionIDManager Manager = new SessionIDManager(); 
string NewID = Manager.CreateSessionID(Context); 
string OldID = Context.Session.SessionID;
bool redirected = false;
bool IsAdded = false;
Manager.SaveSessionID(Context, NewID,out redirected, out IsAdded);

Here you can find full detail about hsi : Changing the session ID programmatically.

yes it is possible to generate new ID for the session. below is one example

SessionState.SessionIDManager Manager = new SessionState.SessionIDManager(); 
string NewID = Manager.CreateSessionID(Context); 
string OldID = Context.Session.SessionID; 

bool IsAdded = false; 
Manager.SaveSessionID(Context, NewID, false, IsAdded); 

Response.Write("Old SessionId Is : " + OldID); 
if (IsAdded) { 
    Response.Write("<br/> New Session ID Is : " + NewID); 
} 
else { 
    Response.Write("<br/> Session Id did not saved : "); 
} 

I assume this is security related? Will a Session.Clear() or Session.Abandon() work for you? This is a good SO link related to those methods.

Otherwise, it is difficult because the ASP.NET session cookie is already on the user's browser. You might not have confidence that the session was truly changed.

The ASP.Net session management infrastructure does not expose a supported way to change your session id during the handling of a request. If writing supported code is important to you, there are several things to be aware of with the accepted answer.

• Both CreateSessionID and SaveSessionID are marked "This method is not intended to be called from application code".
• The SessionID provider is a pluggable type (see e.g. Implementing a custom SessionIDManager), so at the very least you would need to instantiate the correct type.
• The session state attached to the HttpContext will remain associated with the initial session id, so anything you put in the session state bag will appear to be lost. Since there isn't anything you can do with the session once you've changed your id, it's kind of pointless to change your id this way.

Unfortunately, there isn't a supported way to do this without a round-trip. What you need to do is to wipe the session state cookie when you generate the login form. When the user submits the form back, the framework will call into the SessionIDManager to generate a new one. Wiping the session cookie correctly is slightly more complicated than most of the code samples show. The cookie name is another parameter configurable in the web.config. You need to read it from the configuration by accessing the property:

((System.Web.Configuration.SessionStateSection)ConfigurationManager.GetSection("system.web/sessionState")).CookieName

The session id cookie is not scoped to the application, so if there are two applications installed on the same server it's often desirable to have them use different cookie names, so this is required more commonly than you might think.