first of all, you should recheck the setting of your authcookie. That looks wrong (setting
it only if returnurl is not set ..that looks..not intended and should've happened before - right after verifying the login credentials)
Then, you dont need to check returnurl yourself. formsauthentication is handling that for
your. In your web.config, set the appropiate defaulturl and loginurl in the forms authentication section. E.g.
<forms name="yourAppName" defaultUrl="yourInternalUrlWhichIsProtected" loginUrl="login.aspx" protection="All" timeout=".." slidingExpiration="true" path="/"/>