If you do a login with the correct user/passwd and afterwards issue a wrong login (with wrong user/passwd), you get the 'response' from the first (valid) login, since the Cookie value from the previous response (set-cookie header) is used.
Here is a little test script. You can execute that in the Chrome console against our todoauth app on openshift:
The cookie value form the FIRST response is sent to the server when doing the second (invalid) login. There for we see the invocation of the 'success' callback on the second logon as well. Also the received response (on the second login) is the same that we got from the first:
Because the Cookie from the initial john/123 login was used...