Spring Security No Session Cookie when using a CookieServerCsrfTokenRepository

Describe the bug Enabling the CookieServerCsrfTokenRepository causes a SESSION cookie to no longer be set.

To Reproduce Take any spring webflux app, enable CSRF protection and set a CookieServerCsrfTokenRepository.

Expected behavior Setting a CookieServerCsrfTokenRepository should have no effect on how SESSION cookies are set.

Sample

https://github.com/PedroAlvarado/csrfnosession

See the Stackoverflow question for somewhat relevant additional context. https://stackoverflow.com/questions/74085413/no-session-cookie-set-when-using-cookieservercsrftokenrepository

Comment From: PedroAlvarado

There is no issue. After digging further, under both Webflux and MVC, the moment a cookie-based CSRF repository is configured, it swaps the default one which is WebSession/Session based. The WebSession/Session variants of this repository eventually end up creating a new instance of a session which eventually flows as a cookie. The cookie-based variants of CSRF token repository never create a new instance of a session, hence, no session cookies are set under an out-of-the-box spring boot.

Please note that while a session instance may be created by these repositories, they do not "start" a session.