Use replaceState for better browser history experience #967
Conversation
selaux
changed the title
|
I don't see two history entries when I log in on Chrome. 🤔 What browser are you testing? |
|
Tested on Firefox and Chrome, but maybe I didn't describe it correctly and maybe this is a special case that we have. I will try to build a minimal example to showcase the issue. |
|
Okay, so you can find the minimal example here. You are right, it actually works in Chrome and some other Browsers, but I tested in Firefox and there the issue appears. Successful Login: Login with '[email protected]' and 'Test1234' After login it will redirect you to this page.
I hope this makes things more clear and you can reproduce. |
|
Yeah. Thanks for the PR! |
|
Cool, thank you! |
|
Thinking back on it you might also need to consider browser support. E.g. IE9 does not support this, for the browsers we support its ok. |
|
I saw that, but we don't support IE9, so that's ok |
Rationale: Currently, when we get to the login callback, the callback url with and without the hash will be counted as two different browser history entries. This leads to the user not having the possibility to navigate back as the history entry that includes the hash will always trigger the authentication procedure again. Additionally I don't like the idea of tokens appearing in my browser history, because this way an attacker could steal them from there (although they will only be valid for a limited amount of time).
Implementation: Replace
window.location.hash = ''withwindow.history.replaceState(so it will not create an additional history entry, but replace the existing one that includes the hash.What do you think?