Ideally the site should store the destination in something like redis or memcached and hand the browser an endpoint with an opaque token for the redirect. After login the endpoint gets the token, looks up the actual destination, and does a final redirect. The bonus to this method is that the site can store more than just the destination, but keep useful state, as long as that state is safe across authentication boundaries.