Perhaps I am over thinking this, but I would like to understand the purpose of redirecting a user after the POST of their credentials to login page. For example, the POST action can submit the user’s credentials, for example to something like /app/login.php, and then after authentication that login application page could load perhaps a landing page for the user without actually redirecting the user. However, is there something that happens if a user is redirected to a new page instead? It is recommended, but I have not found any explanation for it other than preventing the user from potentially reloading the page and potentially resubmitting form data. It is recommended as a security best practice and I can theorize why it might be done in that regard, but I would really like to have an answer other than “… because that is what everyone does.”
Thanks a lot in advance.
Just as a very quick point. When the advice is to redirect a user, it is normally using the
Post-Redirect-Get method. So the user isn’t usually presented with a ‘You are being redirected’ message or something similar. The server sends the redirect in the response and the browser takes action and goes to the location given.
A short example:
Imagine you have a site with:
One reason is for separation of functionality. So your login page is specifically for logging in and dashboard page is to show the user’s account (or something similar).
Yup, you could just include the dashboard/other page in the login page without redirecting but then you run into another problem. If the user can access their dashboard using /login and /dashboard, what happens if they bookmark the login page? Also, if you are on a POSTed page, then if the user wants to refresh the page then the browser will probably warn them that they’ll repost. From a purely usability view, this would be really annoying if I had to keep accepting just to see my News Feed on Facebook.
Each refresh on the posted page would log the user back in. If you had an audit log enabled then you’ll have a load of ‘Login’ records just because the user wanted to refresh the news feed. Imagine if your site did something on each user login (for example, sending an email out). Just refreshing the dashboard page would send out an email each time.
Another reason is that lots of sites will provide a redirect URL when an unauthenticated user tries to access a restricted page. After logging in, the site redirects the user to the page they originally requested. The Post-Redirect-Get for logging in makes this easier to do (if you’ve already implemented it for general logging in, then it’s not much more effort to have this feature).
There are various other reasons but one of the biggest for me is that the form isn’t resubmitted. Not related to just logging in, but I once had a ‘Test SMS’ feature on a site of mine that didn’t implement the Post-Redirect-Get method. Someone sent one test message and then kept pressing refresh. Within a few minutes all of my SMS credits were used up. Yes, the person could have just pressed back and resubmitted but refresh is just easier.