Fix login redirect by passing postLoginQuery as URL parameter

[Copilot]

Session timing issue causes $_SESSION['postLoginQuery'] to be unavailable when the login form renders, resulting in users being redirected to console instead of their original URL after authentication.

Changes

• web/index.php: Pass postLoginQuery as URL parameter in redirect to login page

  $postLoginQuery = $_SERVER['QUERY_STRING'];
  $redirect = '?view=login&postLoginQuery=' . urlencode($postLoginQuery);

• web/skins/classic/views/login.php: Check $_GET['postLoginQuery'] first, fall back to session

  $postLoginQuery = '';
  if (isset($_GET['postLoginQuery'])) {
    $postLoginQuery = validStr($_GET['postLoginQuery']);
  } else if (isset($_SESSION['postLoginQuery'])) {
    $postLoginQuery = validStr($_SESSION['postLoginQuery']);
  }

Security

• Input sanitization via validStr() strips HTML tags
• Output encoding via validHtmlStr() prevents XSS
• Uses $_GET explicitly instead of $_REQUEST to prevent POST parameter injection
• URL encoding ensures safe parameter transport

Session storage maintained as fallback for backward compatibility.

Original prompt

Problem

When a user receives an email with a link to an event (e.g., https://zoneminder.xxx/zm?view=event&mode=stream&mid=8&eid=1027544) and clicks on it while not logged in, they are prompted to log in. However, after successful login, they are redirected to the console view instead of the original event link.

Expected behavior: User should be redirected to the original event URL after logging in.

Current behavior: User is redirected to ?view=console instead.

Root Cause

There is a timing issue with how the postLoginQuery is being passed from the redirect in web/index.php to the login form. The query string is saved to the session variable $_SESSION['postLoginQuery'] just before redirecting to the login page, but due to session write timing, this value may not be immediately available when the login page renders.

Solution

Pass the postLoginQuery as a URL parameter during the redirect to the login page, in addition to saving it in the session. This ensures the query string is immediately available when the login form renders.

Changes Required

1. web/index.php (around line 245-257):

   • Modify the redirect to include the postLoginQuery as a URL parameter
   • Keep the session storage as a backup

2. web/skins/classic/views/login.php (around line 10-11):

   • Check for postLoginQuery in both $_REQUEST (URL parameter) and $_SESSION
   • Give priority to the URL parameter as it's more immediate
   • Properly initialize the variable before using it

Files to Modify

• web/index.php
• web/skins/classic/views/login.php

Related Issue

Fixes #4231

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[connortechnology]

Looks ok to me.

[Copilot]

Pull request overview

This PR fixes a session timing issue that prevented users from being redirected to their original URL after login. The solution passes postLoginQuery as a URL parameter during redirect to ensure immediate availability, while maintaining session storage as a fallback for backward compatibility.

• Pass postLoginQuery as URL parameter in login redirect to avoid session timing issues
• Update login form to check $_GET parameter first, then fall back to session storage
• Maintain proper input sanitization and output encoding for security

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
web/index.php	Passes the original query string as a URL parameter when redirecting to login page, using proper URL encoding
web/skins/classic/views/login.php	Checks for postLoginQuery in $_GET first (from URL parameter), falls back to session storage, with proper input validation and output encoding

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.