Ok, I just found a strange bug on my site, when you click logout, it logs you out, but if you navigate to any other page, you get logged back in again.

Also I set cookies to stay logged in but it doesn't seem to log me back in.

Since my script is huge, I will only post the parts that are to do with the login.


Main login code
session_start(); // Start the session

$loggedin = "false"; // Not so logged in :(


$sub = true;
if (isset ($_GET['sub'])){ // if ?sub is in the url
if ($_GET['sub'] == "logout"){ // is ?sub is logout
$sub = false; // the logout page is not called
}
}

if ($sub == "true"){ // If the logout page doesnt exsist
//Checks if there is a login cookie
if (isset($_COOKIE['ID_Ludatha']))
//if there is, it logs you in and directes you to the members page
{
$username = $_COOKIE['ID_Ludatha'];
$pass = $_COOKIE['Key_Ludatha'];
$check = mysql_query("SELECT * FROM members WHERE username = '$username'") or
die(mysql_error());
while ($info = mysql_fetch_array($check)) {
if ($pass != $info['password']) {
} else {
$loggedin = "true"; // Logged in :)

}
}
}
}


//if the login form is submitted
if (isset($_POST['submit'])) { // if form has been submitted

// makes sure they filled it in
if (!$_POST['username'] | !$_POST['pass']) {
die('You did not fill in a required field.');
}
// checks it against the database


$check = mysql_query("SELECT * FROM members WHERE username = '" . $_POST['username'] .
"'") or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
die('That user does not exist in our database. <a href=add.php>Click Here to Register</a>');
}
while ($info = mysql_fetch_array($check)) {
$_POST['pass'] = stripslashes($_POST['pass']);
$info['password'] = stripslashes($info['password']);
$_POST['pass'] = md5($_POST['pass']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password']) {
die('Incorrect password, please try again.');
} else {

// if login is ok then we add a cookie
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;
setcookie("ID_Ludatha", $_POST['username'], $hour);
setcookie("Key_Ludatha", $_POST['pass'], $hour);

//then redirect them to the members area
$loggedin = "true"; // Logged in :)
define ("LOGGEDIN", "TRUE");
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = md5($_POST['pass']);
$_SESSION['UNI_ID'] = uniqid();
}
}
}

Logout
function logout(){
$year = 3600*24*365;
//this makes the time in the past to destroy the cookie
setcookie("ID_Ludatha", "gone", time()-$year);
setcookie("Key_Ludatha", "gone", time()-$year);
session_destroy();
$loggedin = false;
echo '<div class="contain">
<div class="con-header">Logout</div>
<div class="con-subheader">You have been logged out!</div>
<div class="con-content">If you wish to log back in again, please enter your details at the top of the page.</div>
</div>';
}


How the pages are set up
// Sub Pages
if (isset($_GET['act']) && isset($_GET['sub'])){

// GENERAL
if ($_GET['sub'] == "logout"){
logout();
}elseif($_GET['sub'] == "login"){
$pages->login();
}


Can anyone help?

If you need it, ill upload the site and create a login so you can see whats happening.

Lots of people would advise not to use cookies as they're insecure use sessions.

But people get angry when they get logged out all the time :/

Cookies are not insecure if used properly (you should not store any personal identifying information in them - see my post in this thread - http://www.codingforums.com/showthread.php?t=142780 .)

By default a session id is passed using a cookie anyway. The alternative of passing the session id on the end of the URL carries similar risks. Someone can steal the value from a cookie or the session id with the same amount of effort and come to your site and appear to be the actual visitor. If what you are doing requires protection from someone stealing a value in a cookie or stealing a session id, then you need to use https/ssl.