I have a page that is restricted via permissions to a specific user group. When clicking a link to that page, visitors who aren’t logged-in are forwarded to the login screen (as expected). After submitting the correct credentials, it appears as if nothing happens and the user is left on the login page. Submitting login credentials again results in the login page refreshing with the “Invalid form token. Please reload this form and submit again” message and a message informing the user they are already logged in. The behavior is the same if attempting to access the page directly via the URL.
Looking at the network activity when submitting the login credentials, there is a POST to /login/authenticate/concrete, followed by a GET to /login/login_complete, but then nothing else happens. Normally, on a normal successful login, that POST and GET are followed by another GET to the URL of whatever page is set in the CMS as the login destination (for example, the homepage), but this second GET request never happens when trying to login to the restricted page, it just sits on the login page and nothing further happens, even though the credentials have been submitted, accepted, and the user is technically logged-in.
One further interesting point is that this only seems to happen on Chromium-based browsers, as logging in to the restricted page directly via Firefox has no issues whatsoever.
Any idea what is going on here? This behavior does not happen when normally logging into the CMS via the /login URL, this only happens when a user is attempting to login via a link/URL to a restricted page on the site.