I just gave this a try on the develop branch with the upcoming changes for 3.6.2 and it worked flawlessly. Here’s what I did; maybe this helps tracking down where your approach runs into that error?
1 – Created a route for login/(:all), but that’s of course just one of many ways to set the logintarget in the session:
// in config.php -> routes
[
'pattern' => 'login/(:all)',
'action' => function ($path = null) {
kirby()->session()->set('myplugin.logintarget', $path);
go('panel/login');
}
],
2 – Created a user blueprint for the role I am targeting (for testing purposes, I simply used admin.yml temporarily):
# admin.yml
home: "{{ site.logintarget }}"
permissions:
access:
panel: false
3 – Created a plugin providing the site method logintarget:
// site/plugins/myplugin/index.php
Kirby::plugin('myplugin/logintarget', [
'siteMethods' => [
'logintarget' => function () {
$target = kirby()->session()->pull('myplugin.logintarget');
if ($target === null) {
return '/panel';
}
return $target;
}
]
]);
Now when I go to https://example.com/login/blog, I get forwarded to the login form and after entering my credentials end up on the https://example.com/blog page, now logged in as a user. If I go directly to the login form without a pre-existing session, I get forwarded to https://example.com as I’d expect (since access to the panel is forbidden and no logintarget stored in the session).
This is where I originally ended up with the two bugs that have now been fixed. What context am I missing to reproduce the error you described?