InMemoryWebSession.changeSessionId reports error if the session does not exist [SPR-16201] #20749
Description
Rob Winch opened SPR-16201 and commented
If a user invokes InMemoryWebSession.changeSessionId before the session has been created, an error is reported stating:
java.lang.IllegalStateException: Failed to change session id: 4854375d-1713-468b-9e4c-61fe282de0bc because the Session is no longer present in the store.
at org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession.changeSessionId(InMemoryWebSessionStore.java:214)
at org.springframework.security.web.server.csrf.WebSessionServerCsrfTokenRepository.lambda$saveToken$1(WebSessionServerCsrfTokenRepository.java:64)
at reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:118)
... 36 more
I think the method should support changing the id even if the session is new.
As it currently stands an additional problem is that it appears there is no way to determine if this operation is safe.
Affects: 5.0.1
Referenced from: commits 19a9bc4