Some of the log-in / log-out logic is weird.

[sminnee]

The login system has some funny quirks in its logic

• If you are logged in, and then access a page that you don't have access to, it logs you out. This means that if you return to another secured page that you *do* have access to, you need to log in again.

• Similarly, if you try and enter your own username and password on that screen, it keeps failing to let you into the admin screen. There's no option to "go back to where you came from"

In general, there are a couple of solutions to this problem:

• Don't log people out on permission failure, just ask them to log in as someone else.
• Offer a "go back" button on permission failure.

However, the log-in system suffers from having logic that is a little too complex to reliably model inside your head. A very useful asset here will be a suite of functional tests to test all of the different ways in which the login form can be accessed.

Here are some examples:

• Logged-out, access a secure page, log-in, redirect to that page
• Logged-out, access a secure page, fail a couple of times, then log in successfully, redirect to that page
• Logged-out, access a secure page, access "/admin", try logging in with a forum user account, go back, access the secure forum "/forum", then log in with a forum user account, ensure that you're let in
• Logged in as a forum user, access admin, be redirected to the login form, go back to the secure forum, don't ask to log in

There are potentially be dozens of important permutations; this is the main reason why we still have bugs in the log-in system.

[scott@…]

See "don't logout" solution here: http://open.silverstripe.com/ticket/2620