hello and welcome :)

try this and take note of my comments, maybe it helps you along your way. Dont know if I have found the error, but maybe I have and there are some huge security flaws in your code

<?
//form.php
session_start() ;
if(!empty($_SESSION['web_user'])){
echo "<a href='logout.php'>Log Out</a>" ;
}else{
//display error if wrong username or password is entered
if(isset($loginerror)){echo "<strong>" .$loginerror. "</strong>" ; }
?>
<form name="loginform" method="POST" action="scr_login.php" >
<table width="400" border="0" cellspacing="0" cellpadding="3" >
<tr>
<td width="100" >Username: </td>
<td> <input name= "username" type="text" id="username" > </td>
</tr>
<tr>
<td width="100" >Password: </td>
<td> <input name="password" type="password" id="password" > </td>
</tr>
<tr>
<td width="100" > &nbsp; </td>
<td> <input type="submit" name="Submit" value="Submit" > </td>
</tr>
</table>
</form>
<?php }?>

scr_login.php
-------------
<?php
//scr_login.php
/*there are a couple of things wrong here, which pose huge security risks. The risks ofcourse depend on your type of site
- you are not escaping user input. which leaves your site vunerable to SQL injection, one of the most exploited security related 'issues'
before you enter anything into a query, first escape the user input. Since you are using MySQL, using the mysql_real_escape_string() function is
the most conveniant way ( [nl2.php.net...] )
- second of all, and this is even worse, you are storing the password un-encrypted. When a user completes his registration, encrypt the password via
MySQL's built in encryption functions before you INSERT it into the table. MD5() and SHA1() are both very secure ways to encrypt passwords.
Take a look at this page: [dev.mysql.com...]
If you have used either of those functions to encrypt it, use it again in your login query
- storing passwords in unencrypted form into a session variable isnt very wise either and you will (most likely) never have need for it anyway
-DO NOT USE the $_REQUEST variable, it is way to dangerous
from php.net:

$_REQUEST

Variables provided to the script via the GET, POST, and COOKIE input mechanisms, and which therefore CANNOT BE TRUSTED.

Use $_POST instead
*/
session_start() ;
require_once( "scr_config.php" );
$username = mysql_real_escape_string(trim($_POST['username']));
$password = mysql_real_escape_string(trim($_POST['password']));

//$query = "SELECT * FROM table WHERE username = '$username' AND password = '$password'" ;
$query = "SELECT * FROM table WHERE username = '$username' AND password = MD5('$password')" ; //or SHA()/SHA1, depending on what you used to store it in the first place
$result = mysql_query($query); //or die ( "Error in query: $query. ". mysql_error() ); no error message here for more security, you never know, uncomment to debug only
$rows = mysql_num_rows($result);
$row = mysql_fetch_assoc($result);

//if correct username and password we'll register sessions and redired the user to the main page defined in the scr_config.php otherwise we'll redirect the user to the login page
if($rows == 1){
$_SESSION ['web_user'] = $row['username'];
//$_SESSION ['web_pass'] = $password; //why in earths name are you storing a un-encrypted password in a session variable?

header( "Location: $adminpage" );
exit() ;
}else{
$loginerror = "Wrong Username or Password" ;
header( "Location: error.htm" );
exit() ;
}

?>

scr_config.php
--------------
<?php
//scr_config.php - database connection script
$hostname_logon = "l****" ; //replace with your database location
$database_logon = "d****" ; //replace with your database name
$username_logon = "****" ; //replace with database username
$password_logon = "****" ; //replace with database password
$logon = mysql_pconnect($hostname_logon, $username_logon, $password_logon) or trigger_error(mysql_error(),E_USER_ERROR);
mysql_select_db($database_logon) or die ( "Unable to select database!" );

//redirect to this page on successfull login. If that page is in a different directory make sure to include the path.
$adminpage = "OK.php" ;
?>

OK.php
------
<?php
//form.php
session_start() ;
if(!empty($_SESSION['web_user'])){
echo "<a href='logout.php'>Log Out</a>" ;?>
<html>
<head>
<title>Authorised User Access</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<table width="518" border="0" cellspacing="0" cellpadding="0" align="center">
<tr>
<td align="center">
<h1>Authorised Access</h1>
...
<? }//display error if wrong username or password is entered
if(isset($loginerror)){
echo "<strong>" .$loginerror. "</strong>" ; }

logout.php
----------
<?php
//scr_logout.php
session_start() ;
session_unset() ;
session_destroy() ;
?>

thanks a lot ddmmh.

I paid attention to your comments and they were really important.

I tried to alter my code in the suggested way and now I get a more elementary error (Parse error: parse error, unexpected T_VARIABLE in scr_login.php on line 11); this is at $rows = mysql_num_rows($result);

There is something that the engine doesn't like I suppose..

Welcome to WebmasterWorld lbamba,

when you get a parse error on a line that looks ok, look at the line before for a dropped semi colon, a mismatched brace, a dropped parentheses or even a missing dollar sign. Lines that are not properly constructed often cause an error in the following line or later on down in the code.

change:
$result = mysql_query($query)

on line 11 to:

$result = mysql_query($query);

should fix it

dmmh, yes i was a bit blind. its ok now.
THOUGH this ok.php doesnt want to help me! You can still access localhost/ok.php without being logged in successfully! I just want users to access ok.php ONLY AFTER having entered their details successfully. I believe that there is a small detail that I have to change but I am not sure what!

Once again here's the OK.php code:

<?php
//form.php
session_start() ;
if(isset($_SESSION['web_user'])){
echo "OK" ;
}
else
{
//display error if wrong username or password is entered
if(isset($loginerror)){
header( "Location: error.htm" ) ; } }
?>

<html>
<head>
<title>Authorised User Access</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<table width="518" border="0" cellspacing="0" cellpadding="0" align="center">
<tr>
<td align="center">
<h1>Authorised Access</h1>
</td>
</tr>
</table>
<div align="center">
<p><br>
Welcome to the password-protected area of the web site.</p>
</div>
<div align="center">
<p><br><a href="logout.php">Log out</a>
</p>
</div>
</body>
</html>

the html isnt inside the curly brackets, inside the if statement, so there is now way for PHP to distinguish whether or not it should be shown

it is supposed to be like this:

<?php
//form.php
session_start() ;
if(!empty($_SESSION['web_user'])){?>
<html>
<head>
<title>Authorised User Access</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<table width="518" border="0" cellspacing="0" cellpadding="0" align="center">
<tr>
<td align="center">
<h1>Authorised Access</h1>
</td>
</tr>
</table>
<div align="center">
<p><br>
Welcome to the password-protected area of the web site.</p>
</div>
<div align="center">
<p><br><a href="logout.php">Log out</a>
</p>
</div>
</body>
</html>
<? }else{
echo 'login first'
}

//display error if wrong username or password is entered
if(isset($loginerror)){
header( "Location: error.htm" );
}?>

i smell we are next to the target but it is now complaining for "Parse error: parse error, unexpected '}', expecting ',' or ';' in OK.php on line 35.

This is the line where
<? }else{
echo 'login first'
} <----------- line 35.

<? }else{
echo 'login first';
}

like said before, if it complains for parse errors, the first thing to look for missing semi-colons ( ; ) on the line before it :)

sorry I forgot it though

Thanks dmmh! It's working absolutely great now!

however just another question that rised. How can I define the length of the session? i.e. how can I state that I want the session to expire after 1 hour?

Im not gonna spoil this one, but you can read about session related stuff here :
[php.net...]

Hmm I try it to play it smart, by just adding a line in
src_login.php. Does it need something really more?

//scr_login.php
session_start();
require_once( "scr_config.php" );
$username = mysql_real_escape_string(trim($_POST['username']));
$password = mysql_real_escape_string(trim($_POST['password']));

$query = "SELECT * FROM table WHERE username = '$username' AND password = MD5('$password')" ;
$result = mysql_query($query);
$rows = mysql_num_rows($result);
$row=mysql_fetch_assoc($result);

//if correct username and password we'll register sessions and redirect the user to the main page defined in the scr_config.php otherwise we'll redirect the user to the login page

ini_set("session.gc_maxlifetime","600"); //new line added for session timeout
if($rows == 1){
$_SESSION ['web_user'] = $row['username'];
header( "Location: $adminpage" );
exit() ;
}else{
$loginerror = "Wrong Username or Password" ;
header( "Location: error.htm" );
exit() ;
}

?>

should do the trick :)

best way is to edit your .htaccess file and put the follwoing line under the last one already there:

php_value session.gc_maxlifetime 600

ini_set() has one drawback: the value is only maintained until script has stopped executing, the it switches back to the value in the php.ini file on the webserver

if you are running Apache, the best way is to override put in the line I mentioed above, which will override the value in the php.ini file and will hold the value for all scripts :)