I have a login form which, after given submit it is sent to itself with the information via POST , and if it is wrong, it displays an error message and shows the same form again. I did this to avoid creating type pages: login.php , validalogin.php .
I wonder if it was a good method, because I reduced the number of pages, but when the user press F5 the page resends all the data again. If this is a good method, can you fix the problem of F5 ?
Another way around this and also to ensure a little more security is to use a submit token.
Example: When someone asks for the login screen you create a token, example a uuid saves and sends in hide on the form. Once the form is submitted you check if it exists on your list and mark it as used. This way if the same token is resubmitted a few times you will not reprocess it again.
It starts to improve security too, of course it goes far beyond what I put here, if someone forges the request of your page with a scam, spam is whatever else the attacker uses, you will "guarantee" that that form was created by your "e" system that the used token you know it, so it is a good situation. So if the attacker tries to send it again it will not succeed because the token has already been used.
More about the attack of CSRF
I think this can be bypassed through a redirect. Make a POST for your form and, in case of failure, make a redirect ( 302 ) for itself - passing in the query string render parameters ie which error message it is to display). So the browser will make a GET for the same form, display the message as you want, and if the user does F5 the browser will simply repeat the GET .
The only drawback, I believe, is that after F5 the same error messages will be displayed unless you clear the query string via JavaScript after the form.
I think this is a good method.
From the functional point of view, there is no problem in letting the F5 key resend the login data in case the authentication fails. The operation is idempotent .
However, from usability point of view, it might be best to avoid this and follow @mgibsonbr's direction and redirect yourself.
In addition to the query string , another alternative already used in other languages so that the login failure message survives one, and only one, redirect is to use the message concept flash . I have never used it in PHP, but this article has a description of how to implement this.
On the other hand, an Ajax authentication scheme is also possible to avoid all this complexity.
When the user clicks the submit button on the login form, make an Ajax POST call that returns a success or failure . If failure occurs, display in a field on the screen. If successful, redirect to the main page using window.location.href via Javascript. It's a very simple solution, especially if you use jQuery.
As a bonus, you can still deploy both solutions simultaneously, with the Ajax version added on the non-obstructive page. If javascript is disabled, login works in a "traditional" way.
