diff --git a/public/src/ajaxify.js b/public/src/ajaxify.js
index 77b04f63c1..a990e08757 100644
--- a/public/src/ajaxify.js
+++ b/public/src/ajaxify.js
@@ -272,6 +272,9 @@ $(document).ready(function () {
 		apiXHR = $.ajax({
 			url: RELATIVE_PATH + '/api/' + url,
 			cache: false,
+			headers: {
+				'X-Return-To': app.previousUrl
+			},
 			success: function (data) {
 				if (!data) {
 					return;
diff --git a/public/src/client/login.js b/public/src/client/login.js
index 254c90d583..f798347c73 100644
--- a/public/src/client/login.js
+++ b/public/src/client/login.js
@@ -59,17 +59,6 @@ define('forum/login', ['translator'], function (translator) {
 		} else {
 			$('#content #username').focus();
 		}
-
-
-		// Add "returnTo" data if present
-		if (app.previousUrl && $('#returnTo').length === 0) {
-			var returnToEl = document.createElement('input');
-			returnToEl.type = 'hidden';
-			returnToEl.name = 'returnTo';
-			returnToEl.id = 'returnTo';
-			returnToEl.value = app.previousUrl;
-			$(returnToEl).appendTo(formEl);
-		}
 	};
 
 	return Login;
diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js
index 0111f62573..86ff7563f3 100644
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -196,15 +196,6 @@ authenticationController.registerAbort = function (req, res) {
 };
 
 authenticationController.login = function (req, res, next) {
-	// Handle returnTo data
-	if (req.body.hasOwnProperty('returnTo') && !req.session.returnTo) {
-		// As req.body is data obtained via userland, it is untrusted, restrict to internal links only
-		var parsed = url.parse(req.body.returnTo);
-		var isInternal = utils.isInternalURI(url.parse(req.body.returnTo), nconf.get('url_parsed'), nconf.get('relative_path'));
-
-		req.session.returnTo = isInternal ? req.body.returnTo : nconf.get('url');
-	}
-
 	if (plugins.hasListeners('action:auth.overrideLogin')) {
 		return continueLogin(req, res, next);
 	}
diff --git a/src/controllers/index.js b/src/controllers/index.js
index 06da343d61..a43480d50e 100644
--- a/src/controllers/index.js
+++ b/src/controllers/index.js
@@ -104,6 +104,7 @@ Controllers.login = function (req, res, next) {
 	var registrationType = meta.config.registrationType || 'normal';
 
 	var allowLoginWith = (meta.config.allowLoginWith || 'username-email');
+	var returnTo = req.headers['x-return-to'].replace(nconf.get('url'), '');
 
 	var errorText;
 	if (req.query.error === 'csrf-invalid') {
@@ -112,6 +113,10 @@ Controllers.login = function (req, res, next) {
 		errorText = validator.escape(String(req.query.error));
 	}
 
+	if (returnTo) {
+		req.session.returnTo = returnTo;
+	}
+
 	data.alternate_logins = loginStrategies.length > 0;
 	data.authentication = loginStrategies;
 	data.allowLocalLogin = parseInt(meta.config.allowLocalLogin, 10) === 1 || parseInt(req.query.local, 10) === 1;