Upstream issue for JBPAPP-5171 – see that issue for further discussion.

When using the DataSourcePersistentManager [1] to store web sessions, submitting a
FORM login page results in a 408 error because the session is not found.

The initial request for the protected resource sets the JSESSIONID cookie and returns the login form.
But the session is not saved in the database, so submitting the form results in a 408 error.

If the session already exists prior to the request for the protected resource, it works correctly.

[1] http://community.jboss.org/wiki/HAWebSessionsviaDatabasePersistence