login browser view should not be cached by proxy cache because of came_from

[yurj]

For a full discussion: https://community.plone.org/t/varnish-and-login-page/14692/6

The login browser view html output contains, as hidden input, the parameter came_from. When you click on login on a public view, the came_from parameter in the form input hidden field is set to the url where you clicked "login". The idea is to login and go back in the same point you were before. If you put a proxy cache (eg varnish) in front of Plone and click on "login", the login page is cached , thus also the came_from input value. So next time you click on "login", you'll get the cached version (because the url is the same) that, after the successful login, will redirect you to the cached came_from wrong url, not the actual correct one.

When you just click on "login" in a Plone url, the login.py browser view will populate the came_from value to the http_referrer (which is the url you came from when clicking on "login").

This is different from hitting a private view and get redirected to login, because the came_from is in the url, thus the cache entry will be different and all works correctly.

Use case: Suppose you're an editor. You go to a page, then click login and then modify to edit it. This simplify a lot the editor experience. If login would not honor the came_from, the editor would login, redirected to the home page, and then have to search the page again to modify it.

This is Plone 6.0.0a2 but the same problem apply to every Plone version which supports came_from from the referrer.

[yurj]

As an additional idea, we could use the same approach of the statusmessage viewlet (Products.statusmessages), which uses a cookie to display the message. When clicking on login, a cookie is cleared (to avoid stale entries) and set with the came_from url and used in the login page by a javascript to fill the came_from hidden input form field, and finally delete the cookie.