The ClientSessionManager uses an AuthorizationFailedRejection (by default) for a missing session, but wouldn't a AuthenticationFailedRejection be a better fit? The same accounts to the CsrfManager.

Sorry for the late response, I as on vacation :)

I remember investigating this a while back, and as far as I recall there's quite a lot of debate on 403 vs 401, the latter being used for the http authentication

See for example: http://stackoverflow.com/questions/4301877/http-status-code-for-missing-authentication
and https://en.wikipedia.org/wiki/HTTP_403

Hence the choice of a AuthorizationFailedRejection :)

Yeah, in the meantime I also came to that conclusion. Thanks!