WebSessionServerCsrfTokenRepository session fixation protection

Issue: gh-4842
8 years ago · b19e14330f
2 changed files with 9 additions and 0 deletions
--- a/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
+++ b/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
@ -61,6 +61,7 @@ public class WebSessionServerCsrfTokenRepository
				@@ -61,6 +61,7 @@ public class WebSessionServerCsrfTokenRepository
 		}
 		return exchange.getSession()
 			.doOnSuccess(session -> putToken(session.getAttributes(), token))
+			.flatMap(session -> session.changeSessionId())
 			.flatMap(r -> Mono.justOrEmpty(token));
 	}

--- a/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java
@ -102,4 +102,12 @@ public class WebSessionServerCsrfTokenRepositoryTests {
				@@ -102,4 +102,12 @@ public class WebSessionServerCsrfTokenRepositoryTests {
 		load = this.repository.loadToken(this.exchange).block();
 		assertThat(load).isNull();
 	}
+
+	@Test
+	public void saveTokenChangeSessionId() {
+		String originalSessionId = this.exchange.getSession().block().getId();
+		this.repository.saveToken(this.exchange, null).block();
+		WebSession session = this.exchange.getSession().block();
+		assertThat(session.getId()).isNotEqualTo(originalSessionId);
+	}
 }