diff --git a/core/lib/Drupal/Core/Session/SessionManager.php b/core/lib/Drupal/Core/Session/SessionManager.php
index 92ab68f80a..ed1ee91290 100644
--- a/core/lib/Drupal/Core/Session/SessionManager.php
+++ b/core/lib/Drupal/Core/Session/SessionManager.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\Core\Session;
 
+use Drupal\Component\Utility\Crypt;
 use Drupal\Core\Database\Connection;
 use Drupal\Core\DependencyInjection\DependencySerializationTrait;
 use Symfony\Component\HttpFoundation\RequestStack;
@@ -198,6 +199,10 @@ public function regenerate($destroy = FALSE, $lifetime = NULL) {
       return;
     }
 
+    // We set token seed immediately to avoid race condition between two
+    // simultaneous requests without a seed.
+    $this->getMetadataBag()->setCsrfTokenSeed(Crypt::randomBytesBase64());
+
     return parent::regenerate($destroy, $lifetime);
   }