Hooray! Theo (the mod_backhand maintainer) fixed the bug that was breaking our logins:
Confirmed and fixed in CVS. It is exactly what you suspected. I misused of the Apache table API. I assumed that the headers would be premerged (coming from the other Apache sever). This isn't always true, as you have seen.
On or around line 657 in mod_backhand.c, change AP_OVERLAP_TABLES_SET to AP_OVERLAP_TABLES_MERGE.
This will fix your problem. It will be rolled into the next release.