SEC-2306: Fix Session Fixation logging race condition

Previously session fixation protection could output an incorrect warning
that session fixation protection did not work.

The code now synchronizes on WebUtils.getSessionMutex(..).

web/src/main/java/org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.java

@@ -26,6 +26,7 @@ import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.ApplicationEventPublisherAware;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
+import org.springframework.web.util.WebUtils;
 
 /**
  * A base class for performing session fixation protection.
@@ -70,12 +71,19 @@ abstract class AbstractSessionFixationProtectionStrategy implements SessionAuthe
         HttpSession session = request.getSession();
 
         if (hadSessionAlready && request.isRequestedSessionIdValid()) {
-            // We need to migrate to a new session
-            String originalSessionId = session.getId();
 
-            session = applySessionFixation(request);
+            String originalSessionId;
+            String newSessionId;
+            Object mutex = WebUtils.getSessionMutex(session);
+            synchronized(mutex) {
+                // We need to migrate to a new session
+                originalSessionId = session.getId();
 
-            if (originalSessionId.equals(session.getId())) {
+                session = applySessionFixation(request);
+                newSessionId = session.getId();
+            }
+
+            if (originalSessionId.equals(newSessionId)) {
                 logger.warn("Your servlet container did not change the session ID when a new session was created. You will" +
                         " not be adequately protected against session-fixation attacks");
             }