The site is built according to MVC, and there is an authorization page, it has a controller, and if the authorization is correct, the person throws it onto a closed page, and if it is not correct, an error message is generated in the controller: "Incorrect login or password" and immediately printed in View, now the question is , if a person clicks f5 and the form will be resubmitted, you can avoid sending it by redirecting to this page, but then the error message will not be shown, since the variable is not defined, you could write an error message to the session, this is a normal way out is it, or is there something better?

Closed due to the fact that it is necessary to reformulate the question so that it is possible to give an objectively correct answer to the participants Visman , Vladimir Glinskikh , Regent , Aries , PashaPash October 24 '15 at 7:44 .

The question gives rise to endless debates and discussions based not on knowledge, but on opinions. To get an answer, rephrase your question so that it can be given an unambiguously correct answer, or delete the question altogether. If the question can be reformulated according to the rules set out in the certificate , edit it .

    2 answers 2

    Use anti-multipost protection.

    As an option: At the beginning of the script we generate some kind of cracking, for example:

    $_GLOBALS['AUTH_KEY'] = substr(md5(time().rand(9000,999999)),5,10); 

    and shove this variable into the form:

     echo '<input type="hidden" name="auth_key" value="'.$_GLOBALS['AUTH_KEY'].'"/>'; // или через темплейту, в общим не важно как мы её выведем, главное что бы это попало в форму. 

    At the end of the script in the session, write down our key that we generated.

    When we process the submit of a form, the value in the session and $ _REQUEST ['auth_key'] should match, if this is not the case, then this is a multipost (second send) and we ignore this request.

      Yes, it's okay it's called flash messages. You record the message in the session, then output and immediately delete. So it should work.

      • This mechanism is used in some frameworks and I think it is quite thoughtful. See how it is implemented in Yii for example - Barton