I think this is a good method.
From the functional point of view, there is no problem in letting the F5 key resend the login data in case the authentication fails. The operation is idempotent .
However, from usability point of view, it might be best to avoid this and follow @mgibsonbr's direction and redirect yourself.
In addition to the query string , another alternative already used in other languages so that the login failure message survives one, and only one, redirect
is to use the message concept flash . I have never used it in PHP, but this article has a description of how to implement this.
On the other hand, an Ajax authentication scheme is also possible to avoid all this complexity.
When the user clicks the submit button on the login form, make an Ajax POST call that returns a success or failure . If failure occurs, display in a field on the screen. If successful, redirect to the main page using window.location.href
via Javascript. It's a very simple solution, especially if you use jQuery.
As a bonus, you can still deploy both solutions simultaneously, with the Ajax version added on the non-obstructive page. If javascript is disabled, login works in a "traditional" way.