As you know the “lastVisitedNode” functionality was introduced in order to allow the user to be redirected to the last page he/she was looking at after logging into the backend.
Unfortunately there are several issues with the current implementation:
Redirection fails if the lastVisitedNode doesn’t exists (anymore) or if it’s dimensions differ
Inline JavaScript is considered bad practice and might pose issues when CSP are used
I suggest to get rid of the functionality altogether, and maybe replace it with a different approach:
For example we could allow the user to append a certain string to the frontend URL that triggers the redirect: http://yourdomain.tld/some/page.html@neos for example.
Obviously this should work in addition to navigating to /neos (which would then skip the redirection).
I’ll start a voting, but would like to gather some more feedback/ideas first.
I agree that the current behaviour is really bad, so either we find a way that the redirection happens reliably (for example by filtering out services and in general be more forgiving when redirecting to non-existing routes) or we need to remove / replace it by something else.
I find http://yourdomain.tld/some/page.html@neos a bit problematic because it says “select the workspace ‘neos’”. But I think the general idea is good. How about simply adding a “@” without workspace name?
I like. We could even allow @[\w]* and then prefill the username in the BE login form accordingly. It would have to be @user-<username> though, not just <username>…
BTW: Another drawback of the current implementation is that we always start a session storing the lastVisistedNode in order to perform the redirect after authentication. At some point it would be nice to allow sessionless authentication even for the Neos BE (e.g. HTTP auth)
The current implementation has some bugs, which could easily be fixed so I don’t see that as a reason to get rid of it.
Also the argument about inline script being a bad practice can also easily be avoided. E.g. for project I’ve optimized, I’ve included the script together with the site. Similar can easily be done by anyone who cares about it. Therefore I don’t see this as a good enough argument to get rid of it either.
Regarding the sessionless authentication that’s a valid point, but wouldn’t it be possible to support that by not starting the session when that is desired?
Allowing to prepend something like @neos for the url can be added regardless and I like that idea. One thing you won’t be able to do is to bookmark @neos and then see the last visited page. So it has some limitations compared to the current solution, which would be an argument for supporting both.
So did we ever think about the UX of appending (or changing) something in the URL anyway? IMHO the URL is a very technical detail that users shouldn’t deal with. Of course users could just have a bookmark to the backend and not care about that - and this is where the last visited node helps. Appending a magic string to the URL will at least need a Bookmarklet that could script that.
We could also think about setting a special localStorage value once you logged into the backend and then showing a very small overlay on the website with a small button (e.g. “edit”) that takes you to the backend (e.g. by appending a magic string or opening /neos?from=/foo/bar.html).
You’re right - and in fact we already moved it to an external script with and only have some lines of inline script in the BE login form - I just forgot about it
I agree, kind of…
I think it’s not too bad to tell the user “to login go to www.yourdomain.tld/neos or click into the address bar and add an @”… I mean we’re talking about editors that need at least enough technical understanding to deal with the Backend, not about regular visitors of the website… And, they’re free to ignore the 2nd option anyways.
(I’m not saying that it’s a perfect solution, but I don’t think that it’s too bad)
I didn’t think of that before but it’s already possible to bookmark deep-links to the backend. køøl.
Bookmarklet is also a nice idea but IMO we don’t need the “last visited node” for that. We only need to know the URL the user comes from - and the bookmarklet knows this.
Nice one - it could even store the username and pre-populate the login form.
