Login code pattern
When coding a login interface it’s common to follow this pattern:
- POST data to a script that checks it and sets appropriate cookies
- On success redirect to the previous (or some other) page
- On error show that error or redirect to an error page
You do this so that users don’t get the annoying “resend data” pop-up if/when they reload the destination page. On the other hand this pattern exposes a usability issue when login data is correct but cookies are turned off.
For some reason my cookies were disabled today. That means that logging in to Twitter (that uses the previously described pattern) looked a bit weird. I’d log in, get redirected and end up on the home page again. Same thing happened on Mozilla Addons page. The very definition of recursion.
When I finally figured it out, I immediately thought of a solution. When you redirect from the post add something to the URL – that way the redirected page can check if you’re actually logged in and alert you if you’re not.
Now this has a few problems of its own:
- It exposes that you have an account on a specific service that can be detected with history sniffing.
- If you create a user based URL to circumvent the previous issue you might leak user information.
- If you reload the destination page after session expired you’ll get an alert that might be wrong itself (you would have to implement some server-side logic that checks if the session has just started).
With all this in mind I still think that redirecting to a different URL is better than leaving users without any information (no matter how uncommon having disabled cookies is).
How do YOU solve this?