diff --git a/appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/FormAuthenticator.java b/appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 34e2b447e3e..202377c0bd4 100644
--- a/appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/appserver/web/web-core/src/main/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -450,7 +450,12 @@ protected boolean restoreRequest(HttpRequest request, Session session)
         ByteChunk body = saved.getBody();
 
         if (body != null) {
-            request.replayPayload(body.getBytes());
+            byte[] tempData = body.getBytes();
+            // tempData is a buffer with reserved extra space
+            // we must keep only the valid data here
+            byte[] data = new byte[body.getLength()];
+            System.arraycopy(tempData, body.getStart(), data, 0, data.length);
+            request.replayPayload(data);
 
             // If no content type specified, use default for POST
             String savedContentType = saved.getContentType();