Hi! I think the implementation of JSession::checkToken() is too restrictive since its redirect URL which is hardcoded to index.php does neither redirect a user to the login screen nor consider a return URL potentially set to JInput.
How abou redirecting a user to the login screen + check for a return URL to redirect the user post-login rather than just setting a message and redirecting a user to index.php where it might not wanna go to?
The way more user friendly solution might be implemented like so:
...
if ($session->isNew())
{
// Redirect to login screen.
$app->enqueueMessage(JText::_('JLIB_ENVIRONMENT_SESSION_EXPIRED'), 'warning');
/* OLD
$app->redirect(JRoute::_('index.php')); */
// NEW
$return = $app->input->getBase64('return', base64_encode('index.php'));
$return = base64_decode($return);
$return = JUri::isInternal($return) ? $return : 'index.php';
$app->redirect(
JRoute::_('index.php?option=com_users&view=login&return=' . base64_encode($return), false)
);
}
else
{
return false; // This is catched by jexit(JText::_('JINVALID_TOKEN'))
}
...
This will redirect a user to the login screen and to its profile page post-login or to the return page from JInput which is way more user friendly.
What do you guys think? If you don't see any security concerns I'd create a PR.