Sitecore 9.x and Session Fixation attacks

Hello Everyone,

I've tried searching for this, but Google and the community search are both letting me down.  My question is how to best handle Session Fixation issues that are posed by ASP.NET in relationship to Sitecore.  I am working at a client who has identified that the ASP.NET session Id is not being updated on user permission changes (notably on login), which it the default behavior for ASP.NET, but is noted as a security vulnerability in OWASP by session fixation attacks.  The simplest fix is to just reset the session on user login, but the result of simply updating the session id when a user logs in is the a significant inflation of the reported number of user sessions in Sitecore Analytics.  This makes the reporting aspects of Sitecore look very unreliable to the customer, especially when compared against Google analytics, which is reporting more reasonable numbers of sessions.

My question has two parts: part A - does Sitecore have built in functionality that mitigates this issue?  I don't see anything on the interwebs that seems to address this issue (but I may not be using the right terminology in my search). At the same time I also don't see any questions raised about the issue, which begs the question of if it's a concern in Sitecore.

Part B of the question is how are other members of this community addressing this security concern, particularly if it's not covered by Sitecore out-of-the box.

I appreciate any responses as I look into how to meet this client security requirement in our Sitecore implementation.

Best Regards,

James