diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
index e0d5eea388..47ad336d82 100644
--- a/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
+++ b/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
@@ -61,6 +61,7 @@ public class WebSessionServerCsrfTokenRepository
 		}
 		return exchange.getSession()
 			.doOnSuccess(session -> putToken(session.getAttributes(), token))
+			.flatMap(session -> session.changeSessionId())
 			.flatMap(r -> Mono.justOrEmpty(token));
 	}
 
diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java
index e9fb8cc7ab..06832c0fc5 100644
--- a/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java
@@ -102,4 +102,12 @@ public class WebSessionServerCsrfTokenRepositoryTests {
 		load = this.repository.loadToken(this.exchange).block();
 		assertThat(load).isNull();
 	}
+
+	@Test
+	public void saveTokenChangeSessionId() {
+		String originalSessionId = this.exchange.getSession().block().getId();
+		this.repository.saveToken(this.exchange, null).block();
+		WebSession session = this.exchange.getSession().block();
+		assertThat(session.getId()).isNotEqualTo(originalSessionId);
+	}
 }