Because when I intercept w/ Burp Suite, It showed that the real request behind authentication function is "redirect.php" , not "login.php".

The page "login.php" , in this case, is just the front-end. It sent all values to "redirect.php" instead.

Is this answer the question?