diff --git a/classes/handler/public.php b/classes/handler/public.php
index d776e27cd..d7a7010fe 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -416,10 +416,10 @@ class Handler_Public extends Handler {
 				$_SESSION["login_error_msg"] ??= __("Incorrect username or password");
 			}
 
-			$return = clean($_REQUEST['return']);
+			$return = clean($_REQUEST['return'] ?? '');
 
-			if ($_REQUEST['return'] && mb_strpos($return, Config::get_self_url()) === 0) {
-				header("Location: " . clean($_REQUEST['return']));
+			if ($return && mb_strpos($return, Config::get_self_url()) === 0) {
+				header("Location: $return");
 			} else {
 				header("Location: " . Config::get_self_url());
 			}
diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php
index f113cd31e..697d0d0d2 100644
--- a/plugins/auth_internal/init.php
+++ b/plugins/auth_internal/init.php
@@ -36,7 +36,7 @@ class Auth_Internal extends Auth_Base {
 						return false;
 
 				} else {
-					$return = urlencode($_REQUEST["return"]);
+					$return = urlencode(with_trailing_slash($_REQUEST["return"]));
 					?>
 					<!DOCTYPE html>
 					<html>
@@ -81,7 +81,7 @@ class Auth_Internal extends Auth_Base {
 							<body class="flat ttrss_utility otp css_loading">
 								<h1><?= __("Authentication") ?></h1>
 								<div class="content">
-									<form dojoType="dijit.form.Form" action="public.php?return=<?= urlencode(with_trailing_slash($return)) ?>" method="post" class="otpform">
+									<form dojoType="dijit.form.Form" action="public.php?return=<?= $return ?>" method="post" class="otpform">
 
 										<?php foreach (["login", "password", "bw_limit", "safe_mode", "remember_me", "profile"] as $key) {
 											print \Controls\hidden_tag($key, $_POST[$key] ?? "");