The automatic redirect should not introduce any security vulnerabilities. If you are aware of an exploit, please let us know via our disclosure program: discourse/SECURITY.md at master · discourse/discourse · GitHub
I don’t think we want to add more noise to the settings until we have some more users requesting this change.
You could override this in a plugin by patching this method:
So I think you would want to simplify the function right down to
def redirect_to_login
dont_cache_page
cookies[:destination_url] = destination_url
redirect_to path("/login")
end