Preventing session fixation by ensuring the only source of creating a session should be a secure random generator

Question

I am trying to prevent session fixation and have read the following from the owasp website:

Session Fixation

Session IDs are to be generated b

Answer 1

Session IDs are to be generated by your application only.

That quote from OWASP PHP Security Cheat Sheet is wrong. Restricting the source of the session id has no effect on Session Fixation. An attacker can go to your site and just grab a valid session id.

The passage was fixed and gives now an effective method for preventing Session Fixation:

Invalidate the session id after user login (or even after each request) with session_regenerate_id().