Remove cookie-based redirection to the last visited page

Description

On most page loads, we save the current path in the session cookie (as session[:return_to]) so in the future, we can redirect the user back to this page if necessary. This feature behaves unpredictably at best, and any brokenness is exacerbated for guest users by nginx-level full page caching, which ignores cookies.

We are removing this feature entirely. A non-exhaustive list of things to remove:

  • Any references to session[:return_to].

  • The store_location callback.

  • The unused method set_flash_cookie.

  • The method redirect_back_or_default. Most of the time, this method can be replaced with a simple redirect_to targeting whatever we used to have as the default argument. In some cases, however, we do want to preserve the user's last visited location (e.g. when logging in, when logging in after viewing a restricted work as a guest). If we need to remember the last visited location, we should add the URL to redirect back to into the login form.

This issue should fix or deprecate:

needs to be reworked after this issue is done.

How to test:

1. Logging in

2. Logging in at the insecure site: Repeat the previous test on http://insecure-test.archiveofourown.org/ this time. Check that you are redirected back to the right page not on the secure site.

3. Logging in on a restricted work

  • Visit a restricted work as a guest. You'll be redirected to the full page login form at https://test.archiveofourown.org/users/login.

  • Log in using the full page form (not the top-right pop-up form).

  • Check that you are redirected to the work with the notice "Successfully logged in."

Assignee

Unassigned

Reporter

redsummernight

Roadmap

Login
Visitors
Works

Priority

Medium

Affects versions

Fix versions

None

Components

BackEnd

Difficulty

Medium

Milestone

Internal 0.9
Configure