It was noticed recently that we cannot re-login the user on every request, if MCRServlet3LoginServlet is used. This will change the sessionId of the HTTPSession with every request that will lead to lost sessions.
For sake of correctness we have to use the authenticate() method of request here. Tomcat currently (8.0.30) lacks a feature. Calling authenticate() after a successful login will trigger a DIGEST authentication, as it is defined to use for MCRContainerLogin.
If we change the auth-method to "FORM" it will make the container login a bit more insecure, as password is transmitted over the wire. As this is the case also for local users it will not open "new" security holes. If "FORM" is used, Tomcat allows authenticate() to use the credentials of login(). This is what we want for sure!