WebSessionServerCsrfTokenRepository session fixation protection

Issue: gh-4842

web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java

@@ -61,6 +61,7 @@ public class WebSessionServerCsrfTokenRepository
 		}
 		return exchange.getSession()
 			.doOnSuccess(session -> putToken(session.getAttributes(), token))
+			.flatMap(session -> session.changeSessionId())
 			.flatMap(r -> Mono.justOrEmpty(token));
 	}
 

web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java

@@ -102,4 +102,12 @@ public class WebSessionServerCsrfTokenRepositoryTests {
 		load = this.repository.loadToken(this.exchange).block();
 		assertThat(load).isNull();
 	}
+
+	@Test
+	public void saveTokenChangeSessionId() {
+		String originalSessionId = this.exchange.getSession().block().getId();
+		this.repository.saveToken(this.exchange, null).block();
+		WebSession session = this.exchange.getSession().block();
+		assertThat(session.getId()).isNotEqualTo(originalSessionId);
+	}
 }