How to create Session Id for every Login in Asp.net MVC?

whats the significations to you for getting a unique sessionID for every login? you shouldn't worry about that at all...

for some requirements in my project. I need to get sessionid!

requirements are terrible in such a case.... they shouldn't depend on sessionID. what exactly is the requirement? you need to correct this before moving onwards. also, take a look at this: msdn.microsoft.com/en-us/library/… and this: forums.asp.net/post/7504.aspx

Yes I do, requirement is if a user logged in with his credentials , and another user should not login until first user log out , straightly preventing multi-user login.

sessionID is not reliable for such a thing. you need some other means to truly determine this case. Also, read this about sessionID: forums.asp.net/post/7504.aspx - you are most likely using the same browser session to check your session id.

is there any option to generate new sessionId for every time?

No. the ASP.NET engine does this - users should never do this for many reasons. Only other way is to download the ASP.NET MVC source code and modify it and use it to your needs. But you will be shooting yourself in the foot by doing these changes.

@Ahmedilyas Do you not leave the newly logged in user open to session fixation attacks? if a previous user has made a note of the session Id, they can hijack the session when the new user has logged in (assuming authentication/authorization have not been properly implemented).

not sure I follow. I understand what you are saying about the session fixation attacks but don't quite understand your comment.

@Ahmedilyas So I am on computer A, I observer that the session ID is 1234. I go away from computer A and observer another user log into a website. I set my session ID on computer B to 1234 and go to the same website. If the website is not properly secured, I will be presented with the other user's data. Having a new session ID will prevent this (yes I know it can be prevented with proper authentication/authorization but some of us have paranoid clients and see having the same ID as a massive security hole).

Right - sure. I agree but this shouldn't be used to ignore the whole authorization and authentication process either. Even creating a new sessionID will result, at some point, on generating a previous generated sessionID but chances of this happening quite often are VERY low.

@Ahmedilyas I agree it is not a replacement for authorization, but clients have read up on session fixation and panic when they see the session ID not changing! I'm not sure session fixation/session hijacking is even an issue if security is implemented properly?

Yes it is - you just use the the .ASPXAUTH cookie instead of ASP.NET_SessionId.