login.html

<html>
<head>
<title>
 login
</title>    
</head>

<body>
<fieldset>
    <legend title=login>login</legend>
    <form action="login.php" method="post">

    Username:<br /> 
    <input type="text" name="username" value="" /> 
    <br /><br /> 
    Password:<br /> 
    <input type="password" name="password" value="" /> 
    <br /><br /> 
    <input type="submit" value="Login" />

</form>
</fieldset>
<a href="register.html">Register</a>
<a href="forgotpassword.php">Forgot Password</a>
</body>
</html>

login.php

<?php
    session_start();
    require("DBconnect.php");   
    $username =$_POST[ 'username' ];
    $password=$_POST[ 'password' ];
    if(!empty($_POST)) 
    { 
        // This query retreives the user's information from the database using 
        // their username. 
        $query = " SELECT  user_id,username,password,salt,email FROM users WHERE username ='$username'";
        $result = mysql_query($query);

        if ($result)
         {
         // Fetch the number in the first column of the only row in 
         // the result set.
         $row = mysql_fetch_row($result);
         echo $row[0];

          if($row) 
          { 
            // Using the password submitted by the user and the salt stored in the database, 
            // we now check to see whether the passwords match by hashing the submitted password 
            // and comparing it to the hashed version already stored in the database. 
            $check_password = hash('sha256', $_POST['password'] . $row[3]); 
            for($round = 0; $round < 65536; $round++) 
            { 
                $check_password = hash('sha256', $check_password . $row[3]); 
            } 

            if($check_password == $row[2]) 
            { 
                // If they do, then we flip this to true 
                $login_ok = true; 
            } 
          } 
         }
        // If the user logged in successfully, then we send them to the private members-only page 
        // Otherwise, we display a login failed message and show the login form again 
        if($login_ok) 
        { 
            // Here I am preparing to store the $row array into the $_SESSION by 
            // removing the salt and password values from it.  Although $_SESSION is 
            // stored on the server-side, there is no reason to store sensitive values 
            // in it unless you have to.  Thus, it is best practice to remove these 
            // sensitive values first. 
            //unset($row['salt']); 
            //unset($row['password']); 

            // This stores the user's data into the session at the index 'user'. 
            // We will check this index on the private members-only page to determine whether 
            // or not the user is logged in.  We can also use it to retrieve 
            // the user's details. 
            //$_SESSION['user'] = $row; 

            // Redirect the user to the private members-only page. 
            header("Location: private.php"); 
            die("Redirecting to: private.php"); 
        } 
        else 
        { 
            // Tell the user they failed 
            print("Login Failed."); 

            // Show them their username again so all they have to do is enter a new 
            // password.  The use of htmlentities prevents XSS attacks.  You should 
            // always use htmlentities on user submitted values before displaying them 
            // to any users (including the user that submitted them).  For more information: 
            // http://en.wikipedia.org/wiki/XSS_attack 
            $username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        } 
    } 

?>

***

errors***
Undefined index: username in C:\wamp\www\Authentication system\login.php on line 4
Undefined index: password in C:\wamp\www\Authentication system\login.php on line 5

hello sikha header doesn't work after <html> Tag. can u tell me how to check user is login or not before to write comments....

header works after html tag....and my problem is in login .php page

This is strange. It works fine for me. Can you put this code on the very beginning of the lgin.php:

die(print_r($_POST, 1));

This will display contents of the $_POST array and stop the script.

<?php
    session_start();
    require("DBconnect.php");   
    if(!empty($_POST['username']) && !empty($_POST['password']))
    {
            $user =$_POST[ 'username' ];
            $pass=$_POST[ 'password' ];
            $qry = " SELECT  user_id,username,password,salt,email FROM users WHERE username ='$user'";
            $result = mysql_query($qry);
            if ($result)
            {
                $row = mysql_fetch_array($result);
                echo $row[0];

            // Using the password submitted by the user and the salt stored in the database, 
            // we now check to see whether the passwords match by hashing the submitted password 
            // and comparing it to the hashed version already stored in the database.
            $check_password = hash('sha256', $_POST[ 'password' ] . $row[3]); 
            for($round = 0; $round < 65536; $round++) 
            { 
                $check_password = hash('sha256', $check_password . $row[3]); 
            } 

            if($check_password == $row[2]) 
            { 
                // If they do, then we flip this to true 
                $login_ok = true;
                echo "successful login";
            } 

         }
        // If the user logged in successfully, then we send them to the private members-only page 
        // Otherwise, we display a login failed message and show the login form again 
        if($login_ok) 
        { 
            // Here I am preparing to store the $row array into the $_SESSION by 
            // removing the salt and password values from it.  Although $_SESSION is 
            // stored on the server-side, there is no reason to store sensitive values 
            // in it unless you have to.  Thus, it is best practice to remove these 
            // sensitive values first. 
            //unset($row['salt']); 
            //unset($row['password']); 

            // This stores the user's data into the session at the index 'user'. 
            // We will check this index on the private members-only page to determine whether 
            // or not the user is logged in.  We can also use it to retrieve 
            // the user's details. 
            //$_SESSION['user'] = $row; 

            // Redirect the user to the private members-only page. 
            header("Location: private.php"); 
            die("Redirecting to: private.php"); 
        } 
        else 
        { 
            // Tell the user they failed 
            print("Login Failed."); 

            // Show them their username again so all they have to do is enter a new 
            // password.  The use of htmlentities prevents XSS attacks.  You should 
            // always use htmlentities on user submitted values before displaying them 
            // to any users (including the user that submitted them).  For more information: 
            // http://en.wikipedia.org/wiki/XSS_attack 
            $user = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
        } 
    } 

?>

***
error***
Undefined variable: login_ok

Initialize $login_ok on the beginning (after session_start):

$login_ok = false;

it is working till echo $row[0]

And what happens after that?