A few thoughts/suggestions. First, use a single password file outside the web-accessible tree. This prevents someone from being able to read it, and also prevents someone from doing something to the username variable and getting into portions of the tree they should not be in (such as was mentioned in another recent posting). Secondly, the salt in a password is stored as part of the password, so you will need to retrieve the same salt for encoding the current entry to ensure it matches.

As to your question about staying logged in, I am guessing here, but instead of printing "You are now logged in", send them to a page that sets a cookie with a reasonable timeout (say, 10min), that as soon as the cookie is set directs them to another page. Then, each time they hit a page, check to see if the cookie is set, directing them back to the login screen if it is not set or has expired, or updating the expire time if it is still valid (so it will be the reasonable timeout period you set from that time).

Just a few thoughts. Hope they help.