The summary isn't totally correct. This is:
"When accessing a moodle page that requires login, upon redirection to the login page, duplicate submission of this login, where the first submission clears a redirection parameter, results in the secondary (i.e. actual submissions with a browser still attached) not being redirected."
Steps to reproduce:
1. Make sure you are not logged into moodle
2. Request a moodle page that requires login
3. [Moodle redirects you to login page]
4. Enter credentials and submit form multiple times.
5. [Moodle redirects to self using testsession with $SESSION->wantsurl set to the original requested URL]
6. [Moodle checks testsession, unsets $SESSION->wantsurl and redirects to the original page]
7. [The secondary submissions are not redirected because wantsurl is now unset in the session]
The way that this works is by immediately disabling the submit button as the first action of an event attached to form submission. This isn't foolproof, but it does simply prevent multiple form submissions.
Battling with concurrency on multiple requests probably isn't worth it though. Possibly the superior solution is for the target page to clear wantsurl, rather than the login page. (Something like, if currenturl == wantsurl, then clear wantsurl or similar). I'm sure that there are obvious flaws with this approach too.
For the majority of cases, wantsurl is a handy little feature, and nobody is too annoyed when it doesn't work. (e.g. Redirecting to homepage instead of the requested course page.) For SSO implementation, where redirects are integral to authentication, this "bug" is DEVASTATING.