cakephp · ADmad · Nov 6, 2025 · Oct 24, 2025
diff --git a/src/AuthenticationService.php b/src/AuthenticationService.php
@@ -383,14 +383,20 @@ public function buildIdentity(ArrayAccess|array $identityData): IdentityInterfac
      */
     public function getUnauthenticatedRedirectUrl(ServerRequestInterface $request): ?string
     {
-        $param = $this->getConfig('queryParam');
         $target = $this->getConfig('unauthenticatedRedirect');
         if ($target === null) {
             return null;
         }
+
         if (is_array($target) && class_exists(Router::class)) {
             $target = Router::url($target);
         }
+
+        if ($request->getMethod() !== 'GET') {
+            return $target;
+        }
+
+        $param = $this->getConfig('queryParam');
         if ($param === null) {
             return $target;
         }

diff --git a/tests/TestCase/AuthenticationServiceTest.php b/tests/TestCase/AuthenticationServiceTest.php
@@ -847,6 +847,22 @@ public function testGetUnauthenticatedRedirectUrl()
         );
     }
 
+    public function testGetUnauthenticatedRedirectUrlForPost()
+    {
+        $service = new AuthenticationService();
+        $service->setConfig('unauthenticatedRedirect', '/users/login');
+        $service->setConfig('queryParam', 'redirect');
+
+        $request = ServerRequestFactory::fromGlobals(
+            ['REQUEST_URI' => '/secrets', 'REQUEST_METHOD' => 'POST'],
+        );
+        $this->assertSame(
+            '/users/login',
+            $service->getUnauthenticatedRedirectUrl($request),
+            'Redirect query param should be only set for GET requests',
+        );
+    }
+
     public function testGetUnauthenticatedRedirectUrlAsArray()
     {
         Router::fullBaseUrl('http://localhost');