The correct answer is C. Regenerate the session ID after a successful login to prevent session fixation attacks because the weakness described is the textbook condition for session fixation. In session fixation, an attacker sets or predicts a victim’s session identifier before the victim authenticates (for example, by sending a crafted link containing a session ID, forcing a known token into the victim’s browser via a URL parameter, or leveraging an application behavior that creates a session for unauthenticated users). If the application fails to issue a new session identifier after authentication, the attacker can reuse the already-known session ID once the victim logs in, effectively taking over the authenticated session.

The scenario explicitly states that “the same authentication token assigned before login continues to be valid without being refreshed,” and that the attacker could “trick a victim into authenticating with a value already known to the attacker.” Those statements describe session fixation precisely: authentication is “bound” to a pre-existing session identifier rather than a newly generated post-login token. The most direct and widely recommended mitigation is to invalidate the old session and regenerate a fresh session ID immediately after successful authentication (and also after privilege changes such as elevating to an admin role). This breaks the attacker’s knowledge advantage, because even if they forced a pre-login session ID, it becomes useless after login.

Why the other options are less correct: A (SSL/TLS) protects confidentiality and integrity in transit but does not prevent an attacker from fixing a session ID if they can set it through other means. B (restrictive cache directives) helps prevent sensitive pages from being stored in caches but does not address session ID reuse. D can reduce exposure by limiting pre-auth sessions, but many applications legitimately require them (shopping carts, CSRF tokens), and it is not as direct or complete as regenerating the session identifier at authentication boundaries.

Therefore, the correct countermeasure is to regenerate the session ID after login.