Does regenerating a session ID help prevent fixation, hijacking or both?

Question

Is it true to say the tactic of regenerating session ID's is only useful to prevent session hijacking via session fixation? If not, how does regenerating id's help prevent against session hijacking?

This popular answer recomendeds to change the session ID often because:

..if an attacker does hijack a session you don't want them to be able to use it for too long."

But if the attacker has already hijacked a session won't they just receive the new session ID?

Answer 1

It'd be a race condition. You'd have 2+ users both sharing the same session ID. At some point your code decides to regenerate the ID, which would send the new ID to one of those users. If the attacker lucks out and their "hit" is the on that gets the regenerated ID, they'll be in the clear and have total control over that session now.

If the actual user gets the regenerated ID, then the attacker is now left with an invalid session ID, and they'll have to try and hijack the freshly regenerated ID and start over again.