One of the nastiest consequences of this issue is that the AdminCentral app doesn't play at all with URL-based authentication:
In order to reproduce it, try https://demoauthor.magnolia-cms.com/.magnolia/admincentral?mgnlUserId=superuser&mgnlUserPSWD=superuser

The reason for this to happen is because of how and when the LoginFilter kicks in the chain:

• it tries to handle each and every request via several handlers should there be enough data for those to process
• in case authentication happens via URL query parameters the info.magnolia.cms.security.auth.login.FormLogin is always triggered, and after authenticating a user successfully it notifies the LoginFilter that a 'self-redirect' is needed (as of MAGNOLIA-5991)
• such a redirect messes up Vaadin XHR-based communication mechanism: every XHR (a POST request) with URL happening to have credentials in query string is considered to be a login attempt and then redirected to itself causing the meaningful Vaadin payload (JSON) to get lost.