I tried to use IBM Rational AppScan to scan the website, but the "Session Fixation" problem still come up.
login.asp -> default.asp -> logout.asp
"Session identifier not updated" problem seems to re-use the Session ID.
I tried to follow the Example in the above but unsuccessful.
Is it able to do the following?
- Renew the ASPSESSIONID
- Cookieless Session
- Encrypted URL