You do not need an id in the
Tk url after authentication /user and everyone will have their own. The user id will be in the session (if this is a normal browser script, not api)
Write authentication according to the documentation, close the /user route for unauthenticated ones
Here is an example:

• https://spring.io/guides/gs/securing-web/
  

1) why do you have muscle in tags?
2) Read about headers, in particular response codes 301/302 and location
3) "Logging" is writing to the log, what you meant is called authorization or "login".
4) After login, you should create a user object, in which, in particular, you can find the id property.