[#47487] - [5.4] DRAFT login redirect lost when accessing protected pages via direct link
- Pending
- Medium
- Build: 5.4-dev
- # 47487
- Diff
- saisantosh-cpu:fix-login-redirect
User tests: Successful: Unsuccessful:
Pull Request resolves #47482.
- [x ] I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.
Summary of Changes
Fixes an issue where the login redirect target is lost when accessing a protected page via direct link in a new tab.
Previously, the return URL was stored only in the session using users.login.form.data. This fails when SameSite=Strict prevents session cookies from being sent, or when multiple tabs overwrite session state.
This patch adds the return URL as a base64-encoded parameter in the login redirect URL, making the redirect stateless and tab-specific.
The session-based storage is retained as a fallback for backward compatibility.
Testing Instructions
- Log out of the site.
- Copy the URL of a menu item that requires "Registered" access.
- Open that URL in a new browser tab (or from an external source like email).
- You will be redirected to the login page.
- Log in.
Test also:
- Open multiple protected links in different tabs before logging in.
- Repeat test with no active session.
Actual result BEFORE applying this Pull Request
After login, the user is redirected to the profile page or home page instead of the originally requested page.
This occurs especially when:
- Opening links in a new tab from external context
- No session cookie is sent due to SameSite=Strict
- Multiple tabs overwrite session state
Expected result AFTER applying this Pull Request
After login, the user is redirected to the originally requested protected page.
The redirect target is preserved via URL parameter and is independent of session state.
Link to documentations
Please select:
- Documentation link for guide.joomla.org:
- [ x] No documentation changes for guide.joomla.org needed
- Pull Request link for manual.joomla.org:
- [x ] No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries |
Did you actually test this yourself
Fatal error: Declaration of Joomla\CMS\Event\AbstractImmutableEvent::offsetSet($name, $value) must be compatible with Joomla\Event\Event::offsetSet($name, $value): void in D:\repos\j6\libraries\src\Event\AbstractImmutableEvent.php on line 65
@saisantosh-cpu Thank you very much for your contribution!
If you are creating a PR for the 5.4-dev branch, please make sure to test your changes against that branch rather than 6.0.3.
Additionally, the continuous integration currently reports PHP code style issues that need to be addressed.
We will set this PR to draft for now. Please feel free to update it within the next two weeks and mark it as ready for review again — otherwise, we may need to close it.
| Title |
|
||||||
FYI. Tested on Joomla 6.0.3 php 84.19 and had this backend error when trying to login Joomla backend:
Joomla\CMS\Application\SiteApplication::__construct(): Argument #1 ($input) must be of type ?Joomla\CMS\Input\Input, Joomla\Input\Input given, called in/libraries/src/Service/Provider/Application.php on line 101
in /libraries/src/Application/SiteApplication.php (line 86)
SiteApplication->__construct() in /libraries/src/Service/Provider/Application.php (line 101)
in /libraries/vendor/joomla/di/src/ContainerResource.php -> {closure:Joomla\CMS\Service\Provider\Application::register():100} (line 162)
in /libraries/vendor/joomla/di/src/Container.php -> getInstance (line 95)
Container->get() in /libraries/src/Service/Provider/Router.php (line 47)
in /libraries/vendor/joomla/di/src/ContainerResource.php -> {closure:Joomla\CMS\Service\Provider\Router::register():46} (line 162)
in /libraries/vendor/joomla/di/src/Container.php -> getInstance (line 95)
in /libraries/vendor/joomla/di/src/Container.php -> get (line 89)
Container->get() in /libraries/src/Extension/Service/Provider/MVCFactory.php (line 79)
in /libraries/vendor/joomla/di/src/ContainerResource.php -> {closure:Joomla\CMS\Extension\Service\Provider\MVCFactory::register():69} (line 168)
in /libraries/vendor/joomla/di/src/Container.php -> getInstance (line 95)
Container->get() in /libraries/src/Extension/Service/Provider/ComponentDispatcherFactory.php (line 63)
in /libraries/vendor/joomla/di/src/ContainerResource.php -> {closure:Joomla\CMS\Extension\Service\Provider\ComponentDispatcherFactory::register():62} (line 168)
in /libraries/vendor/joomla/di/src/Container.php -> getInstance (line 95)
Container->get() in /administrator/components/com_templates/services/provider.php (line 46)
in /libraries/vendor/joomla/di/src/ContainerResource.php -> {closure:Joomla\DI\ServiceProviderInterface@anonymous/administrator/components/com_templates/services/provider.php:28$1a::register():45} (line 168)
in /libraries/vendor/joomla/di/src/Container.php -> getInstance (line 95)
Container->get() in /libraries/src/Extension/ExtensionManagerTrait.php (line 177)
CMSApplication->loadExtension() in /libraries/src/Extension/ExtensionManagerTrait.php (line 51)
CMSApplication->bootComponent() in /libraries/src/Application/AdministratorApplication.php (line 253)
AdministratorApplication->getTemplate() in /libraries/src/Error/Renderer/HtmlRenderer.php (line 50)
HtmlRenderer->render() in /libraries/src/Exception/ExceptionHandler.php (line 142)
ExceptionHandler::render() in /libraries/src/Exception/ExceptionHandler.php (line 76)
ExceptionHandler::handleException() in /libraries/src/Application/CMSApplication.php (line 350)
CMSApplication->execute() in /administrator/includes/app.php (line 58)
require_once('/administrator/includes/app.php') in /administrator/index.php (line 32)