In the previous versions of JBoss EAP 6, the behavior of HttpSession creation differs when used together with a following programmatic login:
* Without SSO: session is not created while calling the `login()` method. Thus, subsequent requests are unauthenticated
* With non-clustered SSO: session is created while calling the `login()` method, but the first call does not set the authentication status. The subsequent requests are unauthenticated and the user is authenticated after the second call of `login()` method, because the session is already present.
* With clustered SSO: session is created while `login()` method and subsequen requests are authenticated
This issue is fixed in the current version of JBoss EAP 6. The `org.apache.catalina.authenticator.AuthenticatorBase.ALWAYS_USE_SESSION` class has a new option to always create a session.