outbreak

When coding a login interface it’s common to follow this pattern:

1. POST data to a script that checks it and sets appropriate cookies
2. On success redirect to the previous (or some other) page
3. On error show that error or redirect to an error page

You do this so that users don’t get the annoying “resend data” pop-up if/when they reload the destination page. On the other hand this pattern exposes a usability issue when login data is correct but cookies are turned off.

For some reason my cookies were disabled today. That means that logging in to Twitter (that uses the previously described pattern) looked a bit weird. I’d log in, get redirected and end up on the home page again. Same thing happened on Mozilla Addons page. The very definition of recursion.

When I finally figured it out, I immediately thought of a solution. When you redirect from the post add something to the URL – that way the redirected page can check if you’re actually logged in and alert you if you’re not.

Now this has a few problems of its own:

1. It exposes that you have an account on a specific service that can be detected with history sniffing.
2. If you create a user based URL to circumvent the previous issue you might leak user information.
3. If you reload the destination page after session expired you’ll get an alert that might be wrong itself (you would have to implement some server-side logic that checks if the session has just started).

With all this in mind I still think that redirecting to a different URL is better than leaving users without any information (no matter how uncommon having disabled cookies is).

How do YOU solve this?

This entry was posted on Tuesday, June 15th, 2010 at 04:51 and is filed under thoughts. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.