Lets say I have 4 tabs open with 4 different moodle pages.
My session times out, eg the next day I pick things back up. If I reload all 4 tabs (which can also happen automatically with a browser session resumes) then all 4 of them redirect to the login page, and in the process each sets in the session state the wants url and so the last one to write to it wins.
Symptom 1: Then I log in again in one of them at random, and I might go to the page I wanted but 75% of the time I'll go to the page from one of the other tabs.
Symptom 2: now on the other 3 tabs I'm technically logged in but they are still on the login page and don't know that yet. If I reload them then I get a dumb error: "You are already logged in as Admin User, you need to log out before logging in as different user."
1) the wantsurl state is additionally stored, where possible, in the url of the login page as a query param
2) the param is kept on subsequent login page submits, ie if you get your password wrong
3) if the wantsurl is in the param and the session the param takes precedence
4) If you load the login page, and you have a wants url, and you are logged in, then just redirect back and don't show the red herring error message
This should fully solve the issue for non-sso auth plugins. The sso ones need to fix it themselves.
There is also a 3 third half overlapping bug which is around the hash anchor being lost after a login redirect, which I think can be solved as part of this or might get split out, eg: