Flow re-authenticate flag on login failures

This avoid extra redirect and shows correct error message for wrong password.

Fixes #21854

login.php

@@ -49,6 +49,7 @@
 $t_return		= string_url( string_sanitize_url( gpc_get_string( 'return', config_get( 'default_home_page' ) ) ) );
 $f_from			= gpc_get_string( 'from', '' );
 $f_secure_session = gpc_get_bool( 'secure_session', false );
+$f_reauthenticate = gpc_get_bool( 'reauthenticate', false );
 $f_install = gpc_get_bool( 'install' );
 
 # If upgrade required, always redirect to install page.
@@ -69,15 +70,29 @@
 	}
 
 	$t_redirect_url = 'login_cookie_test.php?return=' . $t_return;
-
 } else {
-	$t_redirect_url = 'login_page.php?return=' . $t_return .
-		'&error=1&username=' . urlencode( $f_username ) .
-		'&secure_session=' . ( $f_secure_session ? 1 : 0 );
-	if( $t_allow_perm_login ) {
-		$t_redirect_url .= '&perm_login=' . ( $f_perm_login ? 1 : 0 );
+	$t_query_args = array(
+		'error' => 1,
+		'username' => $f_username,
+		'return' => $t_return,
+	);
+
+	if( $f_reauthenticate ) {
+		$t_query_args['reauthenticate'] = 1;
+	}
+
+	if( $f_secure_session ) {
+		$t_query_args['secure_session'] = 1;
 	}
 
+	if( $t_allow_perm_login && $f_perm_login ) {
+		$t_query_args['perm_login'] = 1;
+	}
+
+	$t_query_text = http_build_query( $t_query_args, '', '&' );
+
+	$t_redirect_url = 'login_page.php?' . $t_query_text;
+
 	if( HTTP_AUTH == config_get( 'login_method' ) ) {
 		auth_http_prompt();
 		exit;

login_page.php

@@ -300,6 +300,10 @@ class="form-control <?php echo $t_password_field_autofocus ?>">
 				</div>
 			<?php } ?>
 
+			<?php if( $f_reauthenticate ) {
+				echo '<input id="reauthenticate" type="hidden" name="reauthenticate" value="1" />';
+			} ?>
+
 			<div class="space-10"></div>
 
 			<input type="submit" class="width-40 pull-right btn btn-success btn-inverse bigger-110" value="<?php echo lang_get( 'login_button' ) ?>" />