I am working on a Rails application where I reset the session upon logging out and each successful login, as well as when the user IP address changes.
Would resetting the session (changing the session ID cookie) after each user request significantly reduce chances of successful session fixation attacks?
Session fixation is an attack where the victim using a vulnerability fixes a session id in the victims browser and then when the user authenticates himself the application does not provide a new session token. Because of this, the attacker also get authenticated using the victims id.
Session fixation attack won't be possible if the application provides a new session token when logging in and out. Your current solution is fine and changing session tokens in each request is over-engineering it. It may also inconvenience the user if they switch networks (such as on a mobile device) if you invalidate it by monitoring the IP.
