My web application is only accessible for authenticated users. Before login the user can only see the main page with a button to log in. The application assign a session ID on the main page, the authentication is handled by other application.
After login and coming back to my application the user still has the same session ID. However, it will be changed after logout.
OWASP ASVS states that session id should be changed on login, but I do not see a clear point why it is necessary for this situation? Is it necessary to change it?