Securing website with Login an logout

[princegifted]

I am a complete beginner, I designed a website i need to secure with login. The website requires different Admin login and User login. I have designed database for both. I used the following for the user. I can login successfully but the webpages are still on protected.

(login_form.php)

<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#00ff00">
<tr>
<td colspan="3"><div align="center" class="style6">Member Login </div></td>
</tr>
<tr>
<td width="74">Username</td>
<td width="12">:</td>
<td width="293"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table></div>
<label></label></th>
</tr>

<tr>
<td colspan="3" scope="row"></td>
</tr>
<tr>
<td colspan="3" scope="row"><div align="center"><span class="style5">Copyright (c) 2012. Skycom Incorporated. All rights reserved. </span></div></td>
</tr>
</table>
<p>&nbsp; </p>
</div>
</form>


(checklogin.php)

<?php

ob_start();
$host="localhost"; // Host name
$username="thepass"; // Mysql username
$password="thepass"; // Mysql password
$db_name="thepass"; // Database name
$tbl_name="pass_member"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $username and $password
$username=$_POST['username'];
$password=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $username and $password, table row must be 1 row
if($count==1){

// Register $username, $password and redirect to file "login_success.php"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
ob_end_flush();
?>


(login_success.php)

<?php
// Check if session is not registered, redirect back to main page.
// Put this code in first line of web page.
session_start();
if( isset($_SESSION["username"]) ){
header("location:login_form.php");
}
?>

(logout.php)

<?php

$past = time() - 100;

//this makes the time in the past to destroy the cookie

setcookie('ID_my_site, gone, $past');

setcookie('Key_my_site, gone, $past');

header("Location: login.php");

?>

Please I will be forever grateful to you if you can help me through this.

[johhny-s]

i havent looked closely but you probably need to session_start(); before you do

$_SESSION['username'] = $username;
$_SESSION['password'] = $password;

also, its totally unnecessary to put the user's password into the session; its very bad practice.

also you should be hashing your passwords and not storing them in plain text (google: hashing passwords)

i would suggest checking out some tutorials on writing secure systems; but really I would be using an existing system for securing your site; look at any sort of CMS or framework that has usernames/passwords; you dont want to reinvent the wheel!