by Tom
I just had the strangest behaviour in a Laravel 7 app which really confused me for a little while until I stumbled upon the answer.
The issue was that failed login attempts weren't being redirected back to the /login page to show the error and were instead being sent to the homepage. So, if you entered the wrong email address or password, rather than be told “sorry that didn’t work” or “you entered incorrect details” or similar, you were instead taken back to the home page like nothing happened. As a user, you’d be left wondering if it had worked, but then why you couldn’t access your account, or if the website was completely broken.
I found that the problem was related to the built in authentication that comes with Laravel. It's brilliant when it works, but as much of the nuts and bolts are hidden in the framework, working out what's going wrong can sometimes be tricky. After extensive head scatching it turns out the issue was nothing to do with Laravel at all, but down to some Apache Headers I'd defined in my .htaccess file to try and tighten up security. I'd added these headers later on in the project just before launching the site which is probably why I hadn't noticed this behaviour earlier.
So just for reference, the Header in question was:
> Header always set Referrer-Policy: strict-origin
however changing this to:
> Header always set Referrer-Policy: strict-origin-when-cross-origin
Appears to mean the failed login redirect can go back to the login page as intended.
I'm posting this partly to remind myself in the future, but also because I've found a few threads of people with similar issues, so I thought it was friendly to share. Keep this in mind with any Apache Headers you add to your code and test any key functionality, such as logging in or carrying out any transactions, any time you update them.
