It looks like when you applied restrict access to page to the pages, you specified the failed redirect to go to the page: access-denied.php
Then that page has restrict access to page set to go to the login page.
That means that the last page restricted was the access-denied.php page, and therefor that is the page it sends them back to.
You need to update the restrict access to page on the products.php page to take them to the login.php page directly on failure. Then it will return them to that page properly after login.