I have got 4.0.4GA, using login form and a login module where I set certain attributes to session.
When I login for first time a login form is presented and my login module is called and everything is ok (note the [STDOUT] which comes from my login module code):
15:48:40,968 DEBUG [AuthenticatorBase] Security checking request POST /DemoWeb/j_security_check 15:48:40,968 DEBUG [FormAuthenticator] Authenticating username 'S941' 15:48:40,968 INFO [STDOUT] SetSessionDBLoginModule Setting attributes 15:48:41,077 DEBUG [FormAuthenticator] Authentication of 'S941' was successful 15:48:41,077 DEBUG [FormAuthenticator] Redirecting to original '/DemoWeb/home.jsf'
15:51:06,931 DEBUG [AuthenticatorBase] Security checking request POST /DemoWeb/j_security_check 15:51:06,931 DEBUG [FormAuthenticator] Authenticating username 'S941' 15:51:06,947 DEBUG [FormAuthenticator] Authentication of 'S941' was successful 15:51:06,947 DEBUG [FormAuthenticator] Redirecting to original '/DemoWeb/home.jsf'
Well, I'll answer it myself as I found the reply. It is indeed credential caching:
http://wiki.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials