Where are $username and $password set? Where does the script take you? Does it always error out or does it report a login. If it reports a sucessful login, is your cookie modified correctly?

I also see some major security issues:
1. No SQL cleaning that I can see
2. No validation, you merely stick the users username in the cookie (cookies can be created and modified by the user)


While not a critical note, you should be working with database IDs. Instead of updating where username and password is X, you need to find users by their unique database ID.

__________________