Redirect State And Safety

Doc type: Explanation

Why redirect state exists

The portal stores short-lived redirect state so it can return users to the correct location after login without accepting arbitrary redirect targets.

How it works

• The portal stores the requested redirectUrl in browser sessionStorage per tab.
• State expires after about 15 minutes.

Safety guarantees

• Redirects must be HTTPS.
• Hosts must match the redirect allowlist.
• Invalid or missing state results in a safe fallback redirect.

Related tasks

• Handle Redirects And Allowlists