After login, go back to the page you were on

For the moment, when you login you go back the the site home page. It would be great to go back to the thread you were on (and at the post #id), even if you failed to log in once.
mrmixer
For the moment, when you login you go back the the site home page. It would be great to go back to the thread you were on (and at the post #id), even if you failed to log in once.


The problem with that is that it can't be done in a trusted way, at least not in a very straightforward way.
The referrer header can't be trusted. Likewise, adding an /after/page-we-came-from param can be faked.

The session from before you log in and the session after you log in aren't necessarily the same session, and even then we'd have to trust the login form to tell us the referring page, which comes from the browser.

I'm not sure there would be any security implications if we did do just this, because even if you changed the 'and then go back to this page' param in the url, if you don't have permission to visit it after you logged in, it's still tough cookies. I'll have to ponder it. We'll come back to this in March when we pick up work on the backend again.

Thanks, Simon.
Kelimion

I'm not sure there would be any security implications if we did do just this, because even if you changed the 'and then go back to this page' param in the url, if you don't have permission to visit it after you logged in, it's still tough cookies. I'll have to ponder it. We'll come back to this in March when we pick up work on the backend again.

Thanks, Simon.


Then the 2 options are show a 404/403 page or redirect to the main page/project main page
ratchetfreak
Kelimion

I'm not sure there would be any security implications if we did do just this, because even if you changed the 'and then go back to this page' param in the url, if you don't have permission to visit it after you logged in, it's still tough cookies. I'll have to ponder it. We'll come back to this in March when we pick up work on the backend again.

Thanks, Simon.


Then the 2 options are show a 404/403 page or redirect to the main page/project main page


Well, yes, that's what I mean by "then it's tough cookies", for the implied visitor in question.