tomcat form-based authentication for GWT app occasionally stuck at j_security_check

Question

I have a GWT app running on Tomcat 8.5 running behind a firewall / load-balancer using form-based authentication for most of the resources. Most of the time it's all fine, but a while ago it started occasionally either getting stuck on the j_security_check "page" (~/j_security_check displayed in the URL) with a 408 login timeout error, or coming up with a blank page caused by the GWT .js file actually containing the login page html after the redirect from j_security_check back to the protected resource. This occurs only irregularly, and so far I haven't been able to consistently reproduce the behavior, although once it happens, it generally continues until I clear cache and reload.

I have tried forcing no-caching headers on all the resources (to the extent I can), per other similar SO post answers, but to no avail.

In the case where the blank page comes up, it seems like the browser is inappropriately caching the .js file (dev tools says it has loaded it from cache.) And although the other answers indicate that the 408 timeout error is caching related, I wonder if it possibly some flaw in the session management.

I am a bit stumped, especially since it occurs irregularly, I don't usually have dev tools up to catch what the state was and what happened the first it happens.

I would very much appreciate any suggestions on where to look, and if you need more information, I can try to provide that.

Thanks in advance, Linus