Could this be due to CSRF protection? Do you include the CSRF token when invoking the login action?