I am using Seam 2.0 CR2 with JBoss 4.2.1.GA.
You probably have an s:hasRole or other security check somewhere in your page - Seam Security will attempt to perform a silent login if the user's credentials are available but the user hasn't been authenticated yet.
Thanks for the hint. I tried to look around my codes for hidden/implicit security check but no luck. Even created a bare bone test and still no luck. So after 3 days of debugging, I have decided to 'hack' my login module to avoid certain actions in the second time the login module is invoked. This is definitely not a clean solution :(