Feedback request regarding JSession suggestion

[Clubnite]

Hi! I think the implementation of JSession::checkToken() is too restrictive since its redirect URL which is hardcoded to index.php does neither redirect a user to the login screen nor consider a return URL potentially set to JInput.

How abou redirecting a user to the login screen + check for a return URL to redirect the user post-login rather than just setting a message and redirecting a user to index.php where it might not wanna go to?

The way more user friendly solution might be implemented like so:

...

if ($session->isNew())

{

   // Redirect to login screen.

   $app->enqueueMessage(JText::_('JLIB_ENVIRONMENT_SESSION_EXPIRED'), 'warning');

   

   /* OLD

   $app->redirect(JRoute::_('index.php')); */

   // NEW

   $return = $app->input->getBase64('return', base64_encode('index.php'));

   $return = base64_decode($return);

   $return = JUri::isInternal($return) ? $return : 'index.php';

   $app->redirect(

      JRoute::_('index.php?option=com_users&view=login&return=' . base64_encode($return), false)

   );

}

else

{

   return false;   // This is catched by jexit(JText::_('JINVALID_TOKEN')) 

}

...

This will redirect a user to the login screen and to its profile page post-login or to the return page from JInput which is way more user friendly.

What do you guys think? If you don't see any security concerns I'd create a PR.