have to do something about that return_url - but let's just plunge forward without it.

include/security.php

@@ -137,8 +137,8 @@ function authenticate_success($user_record, $login_initial = false, $interactive
 	}
 
 	
-
-	if(($a->module !== 'home') && isset($_SESSION['return_url'])) {
+unset($_SESSION['return_url']);
+	if(($a->module !== 'home') && isset($_SESSION['return_url']) && strlen($_SESSION['return_url'])) {
 		$return_url = $_SESSION['return_url'];
 		unset($_SESSION['return_url']);
 		goaway($a->get_baseurl() . '/' . $return_url);