There could be a vulnerability if your form also POSTs to index.php
.
This is because it is susceptible in the following scenario:
- Alice logs in and then views your logged in home page for any news.
- Alice's login session times out.
- Alice goes for lunch.
- Carol loads the browser's developer tools and then clicks refresh.
- The browser then resubmits the POST data from the login form.
- The username and password are visible in the browser tools of which Carol makes a note of to use maliciously at a later time.
This is an example scenario and it is why OWASP recommend always redirecting after login, as this prevents the POST data from being cached in the browser.
In the above example Carol could simply execute their attack after renewing the session that Alice had thought had timed out, or even if Alice had logged out explicitly Carol could have clicked back to the logged in home page and refreshed and the POST data would also be refreshed in this scenario.
However, if you redirect the user, even to the same page, as there is no HTTP 200 response the login credentials will not be cached.