diff --git a/login_provider/app.py b/login_provider/app.py
index 3ad15c331ce7fed4d4a6aab14d8e64e012343502..3e472cdd8630c7076ff59c6498c725b7ad11f22d 100644
--- a/login_provider/app.py
+++ b/login_provider/app.py
@@ -1,7 +1,7 @@
 from flask import abort, Flask, redirect, request, render_template, url_for
 from os import urandom, environ
 from hydra_client import HydraAdmin
-from wtforms import SubmitField, StringField, PasswordField
+from wtforms import SubmitField, StringField, PasswordField, HiddenField, validators
 from flask_wtf import FlaskForm
 from flask_login import login_user, logout_user, LoginManager, login_required, current_user
 from db import User
@@ -27,10 +27,12 @@ class LogoutForm(FlaskForm):
     logout = SubmitField("logout")
 
 class LoginForm(FlaskForm):
-    username = StringField("username")
-    password = PasswordField("password")
+    username = StringField("username", validators=[validators.input_required()])
+    password = PasswordField("password", validators=[validators.input_required()])
+    next_url = HiddenField("next_url")
     submit = SubmitField("Sign in")
 
+
 @app.route('/')
 @login_required
 def home():
@@ -52,15 +54,20 @@ def login():
         user = User(login_form.username.data)
         if user.active and user.verify_password(login_form.password.data):
             login_user(user)
-        next_url = request.args.get('next')
-        if not is_safe_url(next):
+        next_url = login_form.next_url.data
+        if not is_safe_url(next_url):
             return abort(400)
         return redirect(next_url or url_for('home'))
+    login_form.next_url.data = request.args.get('next')
     return render_template('login.html', login_form=login_form)
 
 def is_safe_url(url):
-    #TODO implement this
-    return True
+    print(url)
+    safe = True if url == "" else False
+    safe = True if url == "/" or safe else False
+    safe = True if url[:18] == "/?login_challenge=" \
+                   and url[18:].isalnum() or safe else False
+    return safe
 
 
 @app.route('/logout', methods=['POST'])
diff --git a/login_provider/templates/login.html b/login_provider/templates/login.html
index af0dd195c7ec79d82b0c32e104bc6c86c091614b..e020cd60ec769326f619b3562626ccbea1d80782 100644
--- a/login_provider/templates/login.html
+++ b/login_provider/templates/login.html
@@ -3,6 +3,7 @@
 <h1>Login</h1>
 <form method="POST" action="/login">
     {{ login_form.csrf_token }}
+    {{ login_form.next_url }}
     {{ login_form.username }}
     {{ login_form.password }}
     {{ login_form.submit }}