Best way to redirect unauthorized users to a new page based on a condition?

My site has a majority of the content behind a login system. I see through the privacy settings you can make it so the data won’t display if the user isn’t logged in, but they can still see the page.

I have used the on page load event to navigate not logged in states to the front page. However the page loads first which just made me wonder if there is a more efficient solution that would conserve server resources.

What are other popular methods to prevent users from trying to navigate into the site?

I want to leave the menu items in place. One more method I might use is to disable buttons.


Sam here, with Bubble support. This is a great question, and it seems like you’ve figured out the main way to achieve this functionality - the page is loaded workflows will allow you to set any type of condition you want to check for, and redirect a user if that condition isn’t met.

You are correct that the page needs to load first in order to validate these conditions, but I wouldn’t be overly concerned with server resources, as this is very standard. A common UI trick here is to show a loading spinner on page load as well and only hide it if the condition passes and the user stays on the page. That way, there is no odd user experience whereby they can see elements of a page they aren’t supposed to be on.

Alternatively, I’ve seen some setups whereby a specific “redirect” page (usually the index) is used as a landing spot to direct the user to whichever page they need to be on. This doesn’t necessarily amount to any efficiency improvements, but rather is just another way of organizing your workflows and redirect processes.

I hope this helps!

1 Like

Hi @sam.morgan Thanks for confirming this, it’s the method I’m using at the moment, but I have a concern that the page does reveal some information in the source code before the redirect occurs.

Is the only option to prevent the rendering of individual elements (i.e. that might contain private data) as well as covering the page with an overlay spinner? It seems like a lot of work for something that is usually just a server-side check. I have to do this on several admin-only pages. The biggest issue is that even if I wrap the main body content in a ‘hide on load / show when admin’ conditional element, it still partially shows the page and I don’t want the page to appear to exist at all. This is a security concern, so an effective solution would be gratefully received.

UPDATE: I’m still getting a flash of the page content even using both a ‘logged in’ workflow check (redirect) as well as an on-page hidden body which only shows the content if the user is an admin. It’s not revealing any private data at this point, but I can still see the page for a moment. There has to be a better way than this, so what am I doing wrong?



the trick is to put logic into both the User is Logged In and User is Logged Out workflows and not reference ANY page variables or Current Objects (except current user). We actually don’t even reference Current Page object as that will trigger it to run client side. There is a JS trick to block client side redirects which will allow hackers to stay on the page and do stuff. If we need to check security on an object we actually do a Search for object and grab the ID from the URL using current url and extract with regex. To test your page see if the very first response in javascript debugger is a serverside 302… that is the only way.

1 Like

Thanks, @notorioustech . That’s good insight and very useful. I’ll see what I can do with it! :slight_smile: