diff --git a/docs/modules/ROOT/pages/servlet/authentication/persistence.adoc b/docs/modules/ROOT/pages/servlet/authentication/persistence.adoc
index 3f17e9b39a..441f6a528f 100644
--- a/docs/modules/ROOT/pages/servlet/authentication/persistence.adoc
+++ b/docs/modules/ROOT/pages/servlet/authentication/persistence.adoc
@@ -114,6 +114,72 @@ public SecurityFilterChain filterChain(HttpSecurity http) {
----
====
+[[delegatingsecuritycontextrepository]]
+=== DelegatingSecurityContextRepository
+
+The {security-api-url}org/springframework/security/web/context/DelegatingSecurityContextRepository.html[`DelegatingSecurityContextRepository`] saves the `SecurityContext` to multiple `SecurityContextRepository` delegates and allows retrieval from any of the delegates in a specified order.
+
+The most useful arrangement for this is configured with the following example, which allows the use of both xref:requestattributesecuritycontextrepository[`RequestAttributeSecurityContextRepository`] and xref:httpsecuritycontextrepository[`HttpSessionSecurityContextRepository`] simultaneously.
+
+.Configure DelegatingSecurityContextRepository
+====
+.Java
+[source,java,role="primary"]
+----
+@Bean
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+ http
+ // ...
+ .securityContext((securityContext) -> securityContext
+ .securityContextRepository(new DelegatingSecurityContextRepository(
+ new RequestAttributeSecurityContextRepository(),
+ new HttpSessionSecurityContextRepository()
+ ))
+ );
+ return http.build();
+}
+----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+ http {
+ // ...
+ securityContext {
+ securityContextRepository = DelegatingSecurityContextRepository(
+ RequestAttributeSecurityContextRepository(),
+ HttpSessionSecurityContextRepository()
+ )
+ }
+ }
+ return http.build()
+}
+----
+
+.XML
+[source,xml,role="secondary"]
+----
+
+
+
+
+
+
+
+
+
+
+
+----
+====
+
+[NOTE]
+====
+In Spring Security 6, the example shown above is the default configuration.
+====
[[securitycontextpersistencefilter]]
== SecurityContextPersistenceFilter
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java
index 7fb066f661..a93ec34220 100644
--- a/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -33,6 +33,7 @@ import org.springframework.web.util.WebUtils;
* AngularJS. When using with AngularJS be sure to use {@link #withHttpOnlyFalse()}.
*
* @author Rob Winch
+ * @author Steve Riesenberg
* @since 4.1
*/
public final class CookieCsrfTokenRepository implements CsrfTokenRepository {