Spring Security Digest authentication and ChangeSessionIdAuthenticationStrategy

Hello. I'm using SS for Digest auth in Spring based application/

Spring Core 4.2.5. Spring MVC 4.2.5. Spring Security 4.0.4.

Default java configuration, like in spring documentation. Before every secured request digest require authentication. ChangeSessionIdAuthenticationStrategy class change session id after every authentication. So, every secured request change session. At classic scheme it's works, but at ajax front-end - no. When I make 2 parallel http requests to the one controller, I have CSRF error at the second one. After detail analyze I understood I have a cleared (requset.getSession(false) = null) session at the first filter on second request. That's why CsrfFilter can't find valid csrf token at the repository.

I think, it's not valid AuthenticationStrategy for Digest.

Comment From: rwinch

Closing because Digest authentication is considered insecure. See gh-9810