diff --git a/front/index.php b/front/index.php
index e50550a1..6ba90437 100755
--- a/front/index.php
+++ b/front/index.php
@@ -7,6 +7,10 @@ require_once $_SERVER['DOCUMENT_ROOT'].'/php/server/db.php';
 require_once $_SERVER['DOCUMENT_ROOT'].'/php/templates/language/lang.php';
 require_once $_SERVER['DOCUMENT_ROOT'].'/php/templates/security.php';
 
+// if (session_status() === PHP_SESSION_NONE) {
+//     session_start();
+// }
+
 session_start();
 
 const COOKIE_NAME = 'NetAlertX_SaveLogin';
@@ -25,10 +29,13 @@ function validate_local_path(?string $encoded): string {
     if (!$encoded) return DEFAULT_REDIRECT;
 
     $decoded = base64_decode($encoded, true);
-    if ($decoded === false) return DEFAULT_REDIRECT;
+    if ($decoded === false) {
+        return DEFAULT_REDIRECT;
+    }
 
-    // strict local path check
-    if (!preg_match('#^/[a-zA-Z0-9_\-/\.]*$#', $decoded)) {
+    // strict local path check (allow safe query strings + fragments)
+    // Using ~ as the delimiter instead of #
+    if (!preg_match('~^(?!//)(?!.*://)/[a-zA-Z0-9_\-./?=&:%#]*$~', $decoded)) {
         return DEFAULT_REDIRECT;
     }
 
@@ -74,7 +81,9 @@ $redirectTo = validate_local_path($_GET['next'] ?? null);
 ===================================================== */
 
 if ($nax_WebProtection !== 'true') {
-    login_user();
+    if (!is_authenticated()) {
+        login_user();
+    }
     safe_redirect(append_hash($redirectTo));
 }
 
@@ -190,7 +199,11 @@ if ($nax_Password === '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923
   <!-- /.login-logo -->
   <div class="login-box-body">
     <p class="login-box-msg"><?= lang('Login_Box');?></p>
-      <form action="index.php<?php echo !empty($_GET['next']) ? '?next=' . htmlspecialchars($_GET['next']) : ''; ?>" method="post">
+      <form action="index.php<?php
+      echo !empty($_GET['next'])
+          ? '?next=' . htmlspecialchars($_GET['next'], ENT_QUOTES, 'UTF-8')
+          : '';
+      ?>" method="post">
       <div class="form-group has-feedback">
         <input type="hidden" name="url_hash" id="url_hash">
         <input type="password" class="form-control" placeholder="<?= lang('Login_Psw-box');?>" name="loginpassword">
diff --git a/front/php/templates/security.php b/front/php/templates/security.php
index d294d8f1..b9886174 100755
--- a/front/php/templates/security.php
+++ b/front/php/templates/security.php
@@ -1,5 +1,10 @@
 <?php
 
+// Start session if not already started
+if (session_status() == PHP_SESSION_NONE) {
+    session_start();
+}
+
 // Constants
 $configFolderPath = rtrim(getenv('NETALERTX_CONFIG') ?: '/data/config', '/');
 $legacyConfigPath = $_SERVER['DOCUMENT_ROOT'] . "/../config/app.conf";
@@ -45,10 +50,6 @@ $isLogonPage = ($parsedUrl === '/' || $parsedUrl === '/index.php');
 $authHeader = apache_request_headers()['Authorization'] ?? '';
 $sessionLogin = isset($_SESSION['login']) ? $_SESSION['login'] : 0;
 
-// Start session if not already started
-if (session_status() == PHP_SESSION_NONE) {
-    session_start();
-}
 
 // Handle logout
 if (!empty($_REQUEST['action']) && $_REQUEST['action'] == 'logout') {
@@ -86,7 +87,7 @@ if ($nax_WebProtection == 'true') {
         // Logged in or stay on this page if we are on the index.php already
     } else {
         // We need to redirect
-        $returnUrl = base64_encode($_SERVER['REQUEST_URI']);
+        $returnUrl = rawurlencode(base64_encode($_SERVER['REQUEST_URI']));
         redirect("/index.php?next=" . $returnUrl);
         exit; // exit is needed to prevent authentication bypass
     }