From 153275999682cc63cef5aaa0443b95711a8f9c2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Wed, 13 Jan 2016 22:11:59 +0100
Subject: [PATCH] general: don't use session for after_url persistence (#5637)

---
 extra/modules/root.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/extra/modules/root.py b/extra/modules/root.py
index b946916..548d1b5 100644
--- a/extra/modules/root.py
+++ b/extra/modules/root.py
@@ -666,7 +666,7 @@ class AlternateLoginDirectory(OldLoginDirectory):
         ident_methods = get_cfg('identification', {}).get('methods', [])
 
         if get_request().form.get('ReturnUrl'):
-            get_session().after_url = get_request().form.get('ReturnUrl')
+            get_request().form['next'] = get_request().form.pop('ReturnUrl')
 
         if 'IsPassive' in get_request().form and 'idp' in ident_methods:
             # if isPassive is given in query parameters, we restrict ourselves
@@ -678,7 +678,7 @@ class AlternateLoginDirectory(OldLoginDirectory):
             # possibility of SSO, if we got there as a consequence of an access
             # unauthorized url on admin/ or backoffice/, then idp auth method
             # is chosen forcefully.
-            after_url = get_session().after_url
+            after_url = get_request().form.get('next')
             if after_url:
                 root_url = get_publisher().get_root_url()
                 after_path = urlparse.urlparse(after_url)[2]
-- 
2.7.0.rc3