I'm wondering if regenerating the session id after a successful login really a good practice and not just sort of a cargo cult behavior.
If I understand the theory correctly it should prevent session hijacking (or at least make it harder), but I can't really see that if someone could steal the pre-login session what would stop the phisher doing it again with the regenerated one.
I'm not focusing on Spring (I don't even use Java currently), I'm interested in the pros and cons.
You regenerate to prevent session hijacking when the pre-login is http and the post-login is https. That is what stops the attacker doing it again with the regenerated one.
It is relatively easy to steal a session identifier for an http session, assuming you are near the victim, or in the path somewhere, or have phished etc - and if this session identifier is also viable in the encrypted session it can make the attacker's job quite easy.
Yes. You should regenerate the session on login, to help defend against session fixation and login CSRF.
See OWASP's recommendation for more.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 够拽才男人 的文章《Is regenerating the session id after login a good 》','https://www.manongdao.com/article-341622.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}