It also goes without saying to make sure you "sterilize" user input if it is to be used to direct the user to a "password protected" area. Also, I tend to include a header in my code in "admin" areas that check to see if the right person is in the right areas. If not, or if not logged in (say they bookmarked the page and came back much later), then they are redirected to the main login screen.
How are you determining if a login is valid or not?
If you are pulling from MySQL, then you can:
// CODE TO DETERMINE IF LOGIN IS CORRECT
$url = "http://www.domain.com/".$validusername;
Remember, like Insensus said, you have to send header() information before you send out ANY output.
Does this make sense?
Thanks all for the helpful post. I got it to work by doing the following:
* User has already logged in, so display relavent links, including
* a link to the admin center if the user is an administrator.
echo "<h1>Logged In</h1>";
echo "Welcome <b>$session->username</b>, you are logged in. <br><br>"
."[<a href=\"userinfo.php?user=$session->username\">My Account</a>] "
."[<a href=\"useredit.php\">Edit Account</a>] ";
<iframe id=\"login-form\" frameborder=\"0\" scrolling=\"no\" width=\"100%\" src=\"$serverroot.$session->directory/login-form.php\" height=\"400\" align=\"left\"></iframe><br />
echo "[<a href=\"admin/admin.php\">Admin Center</a>] ";
echo "[<a href=\"process.php\">Logout</a>]";