Although this case isn't too common, if you are using a custom login form with the FAIL_URL option, if you have already logged in correct to DA with that form, but decide to login again with a wrong password, the failed login did not redirect the client to the FAIL_URL. This is because of the logic: If authenticated: do authenticated things else send error Since you're already authenticated, the send error code is never reached. Calling CMD_LOGIN while already logged is a difference case (essentially never used), and just shows the login page without any of the fancy options, hence the issue. What I've done, is changed it, so that if you call CMD_LOGIN when you're already logged in, you're sent to /, and the login system will take care of the reset correctly. Because the main login checking code would be re-run, the session would then be reset correctly, so if the wrong password is used, you'll get the FAIL_URL as expected.