A semi Partial Answer (1am & I can't go into details :), but I've answered your post in the Lounge and I can help you here).
"
You'll note that it is just returning a redirect." That's the first problem, you should only re-direct if the login is a success.
"
as this loses all the model data (which would be useful to keep if the log on fails)" If the login fails you should return a view with the "failure" information in (I'm guessing the form you have, with the username filled in (the password blanked and a message "Your login fooed for some reason" type thing). I'm not sure what else you'd want to keep this information for. Without persisting it at the server via session or a proper backing store, you're going to have the same problems that you'd have with ASP.NET: there is no way to send the information safely to the client without encryption (even ViewState can be read). This is *partially* an example of what I was alluding to in The Lounge about ASP.NET forms hiding stuff from you and it not always being a good thing.
What I'm thinking is that there might be a way to determine the default view based on the referrer URL. So if I pass in "/Home/Index" or "/Home" or "/" or "/SomeOtherValidRoute" to a function, it will return the "~/Views/Home/Index.cshtml" view. There is a way to achieve this and you are close to the mark.
If you want to see a full solution, I suggest you create a new MVC3 application but select "
Internet". It creates a login form for you, secured against (unconfigured) Authentication/Authorisation providers. You can secure it against the providers as you would for ASP.NET. Let's say you've two secured action methods corresponding to /home/index and /foo/bar. It is important to secure these with the
Authorize attribute[
^] as there may be more than one way to access these methods, the ASP.NET location in web config is not sufficient.
Anyway, having done this, if you try and navigate to /home/index you'll get the login page and the Query string posted back to the server will have /home/index as the target. The default Login action method (similar to the one you have) will then transfer to the target as supplied by the login form in the query string. That way, if navigating to /foo/bar and logging in it will re-direct there instead.
This isn't the only way to skin this problem, but it should get you started.
Let me know if you need any more help, I'll try to remember to see if you've replied in the morning sorry I can't provide code at the moment!