From b19e14330fa61ade2a2695a2dba3e3976e54c9de Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Thu, 16 Nov 2017 11:22:33 -0600
Subject: [PATCH] WebSessionServerCsrfTokenRepository session fixation
 protection

Issue: gh-4842
---
 .../server/csrf/WebSessionServerCsrfTokenRepository.java  | 1 +
 .../csrf/WebSessionServerCsrfTokenRepositoryTests.java    | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
index e0d5eea388..47ad336d82 100644
--- a/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
+++ b/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
@@ -61,6 +61,7 @@ public class WebSessionServerCsrfTokenRepository
 		}
 		return exchange.getSession()
 			.doOnSuccess(session -> putToken(session.getAttributes(), token))
+			.flatMap(session -> session.changeSessionId())
 			.flatMap(r -> Mono.justOrEmpty(token));
 	}
 
diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java
index e9fb8cc7ab..06832c0fc5 100644
--- a/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java
@@ -102,4 +102,12 @@ public class WebSessionServerCsrfTokenRepositoryTests {
 		load = this.repository.loadToken(this.exchange).block();
 		assertThat(load).isNull();
 	}
+
+	@Test
+	public void saveTokenChangeSessionId() {
+		String originalSessionId = this.exchange.getSession().block().getId();
+		this.repository.saveToken(this.exchange, null).block();
+		WebSession session = this.exchange.getSession().block();
+		assertThat(session.getId()).isNotEqualTo(originalSessionId);
+	}
 }