Webpage behavior for an expired authentication referral link
I'm working on a Single Sign On service.
An example use case I'm trying to solve is as follows:
- User A sends User B a link to www.exampleapp.com/resource/abc. This resource requires authentication to access it.
- User B clicks the link, and because they're not authenticated they're redirected to logon.example.com?authref=arefecodehere
- User B erroneously bookmarks this page - thinking it is a link to the resource.
- User B enters their credentials here, and are redirected back to the resource they were trying to access.
- The next day User B clicks the bookmark. (Current behaviour) the user can enter their credentials, and then receive an error page when they are successfully authenticated, but the authentication referral is expired.
- The user then complains to their colleagues/calls the service desk.
The question is - how should this scenario be handled?
I have a few ideas:
- Add a message on the initial login 'don't bookmark this page.'
- When the user returns to the bad bookmark, immediately display an error page. -- In which case - what should the message say? Does 'this URL is no longer valid' suffice?
- Detect which application the referral code refers to, and immediately redirect them to that page.
- Just log the user into their self service page (where they manage their credentials).
I'm of the opinion that we shouldn't design to explicitly correct the user's behavior. Instead you give them a closed door and let them try another way. But I'm wondering if that is in fact good design philosophy.