The default "returnto" should be "/".
Right now, it's strange that the login page lands you back on the login page after log in.
Does this need to be done via a cookie?
We can just pass returnTo to the login form via a url param, and then set it in the login form in a hidden field, it then goes along with the post and then a successful login just sends back a 302 to the returnTo?
It does not 'need' to be done via cookie. Some might even argue that the cookie method is inferior. I might be wrong, but it is the way I've done it for the sake of improved page cacheability. There could basically be an infinite number of possible returnTo's, leading to many, many "different" login pages, from a caching perspective. I endorse using a temporary cookie for this functionality.
It might be nice to allow the entire site to function without cookies, but I'm not particularly in favor of it since that is rarely a project requirement (probably hasn't been a requirement in years).
it would be nice to have the option not to have usernames etc in cookies, for instance if the user is on a public pc.
instead of the username or anything else being stored in cookie, a GUID could be placed in the cookie and a table of loged in users. the session GUID and what ever user data needed stored for quick look up on each request.
When a user requesting a page the GUID would be checked and the users data added to the request object, so it can be used.
As for page personalization an ajax request could be maid after login and data saved in local storage or if it is a public pc in a client side object.
I may have missed something as i am new to this project but i would like to help