Basically, I have two questions
A. Is session hijacking possible with the same system but two new instances of the browsers (eg. 1.New Window and 2.Incognito)?
If Yes, then how could I prevent session hijacking in this scenario?
What I have tried is to log in with User X and took post-login ASP.NET_SessionId cookie value. Now in Incognito, log in with User Y and after successfully logged in modify the cookie value of User Y's ASP.NET_SessionId with User X's ASP.NET_SessionId and refreshed. Then I have received the entire session of User X.
B. How could I prevent session hijacking with two different systems?
I am using ASP.NET MVC5, Form Authentication,.NET 4.5.2, and InProc session state.
Thanks in advance.