(I think) I understand why session IDs should be rotated when the user logs in – this is one important step to prevent session fixation.
However, is there any advantage to randomly/periodically rotating session IDs?
This seems to only provide a false sense of security in my opinion. Assuming session IDs are not vulnerable to brute-force guessing and you only transmit the session ID in a cookie (not as part of URLs), then an attacker will have to access your cookie (most likely by snooping on your traffic) to get your session ID. Thus if the attacker gets one session ID, they’ll probably be able to sniff the rotated session ID too – and thus randomly rotating has not enhanced security.
If you’re using session identifiers stored in cookies, session fixation is not an issue. I skimmed through the paper you pasted and I see things like using DNS and XSS to own the user, which obviously are much greater (not to mention, separate) issues than session fixation. If you have the session identifier (with an acceptable level of entropy) stored in a cookie, there is no sane reason to rotate it. The only reason to rotate it would be because it’s guessable or vulnerable in some other way, in which case the user gets owned anyways.