If you let your browser sit long enough, the page will be redirected to CMD_LOGOUT. If the session on the server has expired before the browser does the redirect (possible if the clocks are off by a small amount), then the unauthorized page the browser is trying to access is CMD_LOGOUT. Since the client isn't logged in, the login page is shown.. and once a valid login works, DA happily redirects the browser to where it wanted to go: CMD_LOGOUT... Authorized calls to CMD_LOGOUT get redirected to CMD_LOGIN... This is why there is a double login sometimes. The fix was to simply to prevent using CMD_LOGOUT in the "referer" field in the login form. If that's the referer value, either / is used, or no value is used at all.. thus the login will send you to /, and not CMD_LOGOUT, preventing the double login.