So the root problem is that our redirection post login ignores the domain from where the user came from. We ignore it cause of a phishing attacks where an attacker can form a malicious link redirecting a user back to their login. But perhaps we can change it to not ignore the domain if the top level domain of the source is the same - this way, it would just work for you.. what do you think of this?