[eluser]skunkbad[/eluser]
There are many vulnerabilites in login scripts, and unless you do some research on authentication exploits, you are sure to create something that can be bypassed, hacked, etc.
One thing I see is that anyone who can modify a cookie, or fabricate a cookie that sets the variables to TRUE is logged in. You shouldn't be testing for TRUE. You should be testing for a unique ID, and some sort of token. What you choose as your token should be something unique to the client's machine, or possibly the browser.
You might take a look at my Community Auth, located in my signature. The Authentication class is where all the action happens, and it should give you some ideas.