diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 53957e2fb..82b6a8efb 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -7,7 +7,8 @@ class SessionsController < ApplicationController
     session_creator = SessionCreator.new(session, cookies, params[:name], params[:password], params[:remember])
 
     if session_creator.authenticate
-      redirect_to(params[:url] || session[:previous_uri] || posts_path, :notice => "You are now logged in.")
+      url = params[:url] if params[:url].start_with? '/'
+      redirect_to(url || session[:previous_uri] || posts_path, :notice => "You are now logged in.")
     else
       redirect_to(new_session_path, :notice => "Password was incorrect.")
     end