I suggest that your clients should not explicitly request the login page. They should request whatever page they eventually want access to. Regardless of what page the client requests, the server should check whether the client is logged in and if not, return the login page. The destination URL for the login page should be the same as the client's original request i.e. if you request the URL outside of a logged-in session you get the login page, and if you request it within a logged-in session (and assuming the logged-in user has rights to access the requested resource) you get the page you asked for.