In a recent security scan using IBM AppScan in one of our ASP.NET applications, the following medium vulnerability is reported
Session Identifier Not Updated
Severity: Medium
Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Causes: Insecure web application programming or configuration.
I found different threads talk about the same and found suggested solutions as well. But in that KB article Microsoft explains how reuse of session IDs could be useful and the same article doesn't mention any risks about the reuse of session IDs. Also in Session Identifiers | MSDN no risks mentioned other than SessionID values are sent in clear text whether as a cookie or as part of the URL.
So my question here is that risk is a real vulnerability / possible session fixation attack or it is just false positive risk?