id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36195	redirect_to_login Misinterprets next Parameter with Multiple Query Parameters	Antoni Czaplicki		"There is a bug in the redirect_to_login function in django.contrib.auth.views. When the next parameter itself contains multiple query parameters (separated by &), they are incorrectly interpreted as part of the main login URL’s query parameters instead of being properly escaped as part of the next value.

Steps to Reproduce:
	1.	Configure Django view with required login decorator
	2.	Attempt to access a protected view with a next parameter containing multiple query parameters, e.g.:

`/protected-view/?foo=1&bar=2`


	3.	The user is redirected to the login page, where the generated login URL is:

`/login/?next=/protected-view/?foo=1&bar=2`

This is incorrect because &bar=2 is interpreted as a separate query parameter for /login/ instead of part of the next value.

	4.	After login, the user is redirected to:

`/protected-view/?foo=1`

Instead of the expected:

`/protected-view/?foo=1&bar=2`



Expected Behavior:
Ampersands in next parameter should be properly escaped so that it is treated as a single query parameter in the login URL. It should appear as:

`/login/?next=/protected-view/?foo=1%26bar=2`

so that after login, Django correctly redirects to:

`/protected-view/?foo=1&bar=2`

Affected Code:
The issue originates in redirect_to_login:

https://github.com/django/django/blob/2d34ebe49a25d0974392583d5bbd954baf742a32/django/contrib/auth/views.py#L180"	Bug	closed	contrib.auth	5.1	Normal	worksforme	auth redirect_to_login query		Unreviewed	0	0	0	0	0	0