Session ID Not Generated On Initial Page Load (.NET FW 4.7.2)

[PRISMAY]

We've installed the NWebsec.SessionSecurity to address the Session Fixation flaw but we're running into an issue where loading our initial view (login view) the session id is still the standard one generated rather than one generated by the NWebsec.SessionSecurity library.

Once I click on Login and submit the form the session id is then generated properly and from that point forward everything works fine. I'm not sure if we're missing some configuration step or what exactly. Our config settings are as below with the 256 bit key.

      <sessionIDAuthentication enabled="true"
                               useMachineKey="false"
                               authenticationKey="43177483d0..." />

Please let me know if you need any more info. Thank you.

[PRISMAY]

To clarify the above, we are NOT using standard form authentication but our own custom token-based authentication. So when the user submits the login form, we process the credentials, get a token and, if successfully logged in, route the user to the app.

The problem is that when the initial non-authenticated login page is shown and submitted, it comes right back to the login page again. Dev tools shows that now the session id is the 256-bit. If we now submit the form, it proceeds as it should. Is there some way to emulate the forms authentication in our controller once we know the user is logged in and we have a token so that we can proceed normally? Thanks.

[PRISMAY]

We found our custom authentication routes do need to set the FormsAuthentication cookie via SetAuthCookie. This worked as expected and the session id was then assigned. I'll close this ticket.