i have the following login script with a .htaccess that redirects everything to login.php?page=whatever

<?
if(!$page) $page="index.html";
if($action == "logout") {
setcookie("HSuser","",time()-3600);
setcookie("HSpass","",time()-3600);
}
if((!$username) AND (!$password) AND isset($_COOKIE['HSuser']) AND isset($_COOKIE['HSpass'])) {
$username = $_COOKIE['HSuser'];
$password = $_COOKIE['HSpass'];
}
if($username && $password) {
$users = file_get_contents("users.php");
$str = "\n".$username.":".$password."\n";
if(eregi($str,$user)) { setcookie("HSuser",$username); setcookie("HSpass",$password,time()+3600*24); header("Location:$page"); exit;}
}
?>
<html><head><title>Log In</title><style type="text/css">
body { background-color:000000; color:3366ff; }
.text { background-color:000000; color:3366ff; border-width:1px; border-color:0000ff; border-style:solid; }
</style></head><body>
<center><h1>Log in</h1><hr width=85% color=0000ff>
<form action="<?=$page?>" method=post>
<table><tr><td>Username:</td><td><input type=text name=username <? if(isset($_COOKIE['HSuser'])) { echo "value=\"".$_COOKIE['HSuser']."\" "; }?>class=text></td></tr>
<tr><td>Password:</td><td><input type=password name=password class=text></td></tr>
<tr><td align=right colspan=2><input type=submit name=submit value=LogIn class=text></td></tr>
</table></form></body></html>

the page goes back to the login page, not sure if the vars are being passed with the .htaccess or if it is just a script problem, suggestions?