diff --git a/web/html/index.php b/web/html/index.php
index 2a1a4893..99cccbc6 100644
--- a/web/html/index.php
+++ b/web/html/index.php
@@ -2,78 +2,12 @@
 
 set_include_path(get_include_path() . PATH_SEPARATOR . '../lib' . PATH_SEPARATOR . '../lang');
 
-include("index_po.inc");
+# include("index_po.inc");
 include("pkgfuncs_po.inc"); # Add to handle the i18n of My Packages
 include("aur.inc");
 set_lang();
 check_sid();
 
-# Need to do the authentication prior to sending any HTML (including header)
-#
-$login_error = "";
-if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) {
-	# Attempting to log in
-	#
-	if (!isset($_REQUEST["user"])) {
-		$login_error = __("You must supply a username.");
-	}
-	if (!isset($_REQUEST["pass"])) {
-		$login_error = __("You must supply a password.");
-	}
-	if (!$login_error) {
-		# Try and authenticate the user
-		#
-
-		#md5 hash it
-		$_REQUEST["pass"] = md5($_REQUEST["pass"]);
-		$dbh = db_connect();
-		$q = "SELECT ID, Suspended FROM Users ";
-		$q.= "WHERE Username = '" . mysql_real_escape_string($_REQUEST["user"]) . "' ";
-		$q.= "AND Passwd = '" . mysql_real_escape_string($_REQUEST["pass"]) . "'";
-		$result = db_query($q, $dbh);
-		if (!$result) {
-			$login_error = __("Error looking up username, %s.",
-						array(htmlspecialchars($_REQUEST["user"])));
-		} else {
-			$row = mysql_fetch_row($result);
-			if (empty($row)) {
-				$login_error = __("Incorrect password for username, %s.",
-						array(htmlspecialchars($_REQUEST["user"])));
-			} elseif ($row[1]) {
-				$login_error = __("Your account has been suspended.");
-			}
-		}
-
-		if (!$login_error) {
-			# Account looks good.  Generate a SID and store it.
-			#
-			$logged_in = 0;
-			$num_tries = 0;
-			while (!$logged_in && $num_tries < 5) {
-				$new_sid = new_sid();
-				$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) ";
-				$q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())";
-				$result = db_query($q, $dbh);
-				# Query will fail if $new_sid is not unique
-				#
-				if ($result) {
-					$logged_in = 1;
-					break;
-				}
-				$num_tries++;
-			}
-			if ($logged_in) {
-				# set our SID cookie
-				#
-				setcookie("AURSID", $new_sid, 0, "/");
-				header("Location: /index.php");
-			} else {
-				$login_error = __("Error trying to generate session id.");
-			}
-		}
-	}
-}
-
 # Any cookies have been sent, can now display HTML
 #
 html_header();
@@ -97,36 +31,6 @@ print __("The most popular packages will be provided as binary packages in [comm
 print "</td>";
 print "<td class='boxSoft' valign='top'>";
 
-# Now present the user login stuff
-if (!isset($_COOKIE["AURSID"])) {
-	# the user is not logged in, give them login widgets
-	#
-	if ($login_error) {
-		print "<span class='error'>" . $login_error . "</span><br />\n";
-	}
-	print "<table border='0' cellpadding='0' cellspacing='0' width='100%'>\n";
-	print "<form action='/index.php' method='post'>\n";
-	print "<tr>\n";
-	print "<td>".__("Username:")."</td>";
-	print "<td><input type='text' name='user' size='30' maxlength='64'></td>";
-	print "</tr>\n";
-	print "<tr>\n";
-	print "<td>".__("Password:")."</td>";
-	print "<td><input type='password' name='pass' size='30' maxlength='32'></td>";
-	print "</tr>\n";
-	print "<tr>\n";
-	print "<td colspan='2' align='right'>&nbsp;<br />";
-	print "<input type='submit' class='button'";
-	print " value='".__("Login")."'></td>";
-	print "</tr>\n";
-	print "</form>\n";
-	print "</table>\n";
-
-} else {
-	print __("Logged-in as: %h%s%h",
-			array("<b>", username_from_sid($_COOKIE["AURSID"]), "</b>"));
-}
-
 # MAIN: Bottom Left
 print "</td>";
 print "</tr>";
diff --git a/web/lib/aur.inc b/web/lib/aur.inc
index 8473faec..47156487 100644
--- a/web/lib/aur.inc
+++ b/web/lib/aur.inc
@@ -7,6 +7,7 @@ header('Pragma: no-cache');
 include_once("version.inc");
 include_once("config.inc");
 include_once("aur_po.inc");
+include_once("index_po.inc");
 
 # TODO do we need to set the domain on cookies?  I seem to remember some
 # security concerns about not using domains - but it's not like
@@ -92,6 +93,8 @@ function check_sid() {
 			# clear out the hacker's cookie, and send them to a naughty page
 			#
 			setcookie("AURSID", "", time() - (60*60*24*30), "/");
+			# I think it's probably safe to do the same as below with this
+			# but not really vital at this point
 			header("Location: /hacker.php");
 
 		} elseif ($failed == 2) {
@@ -104,8 +107,7 @@ function check_sid() {
 			db_query($q, $dbh);
 
 			setcookie("AURSID", "", time() - (60*60*24*30), "/");
-			header("Location: /timeout.php");
-
+			unset($_COOKIE['AURSID']);
 		} else {
 			# still logged in and haven't reached the timeout, go ahead
 			# and update the idle timestamp
@@ -336,9 +338,74 @@ function set_lang() {
 function html_header() {
 	global $_SERVER;
 	global $_COOKIE;
+	global $_POST;
 	global $LANG;
 	global $SUPPORTED_LANGS;
 
+	$login_error = "";
+	if (isset($_POST["user"]) || isset($_POST["pass"])) {
+		# Attempting to log in
+		#
+		if (!isset($_POST["user"])) {
+			$login_error = __("You must supply a username.");
+		}
+		if (!isset($_POST["pass"])) {
+			$login_error = __("You must supply a password.");
+		}
+		if (!$login_error) {
+			# Try and authenticate the user
+			#
+
+			#md5 hash it
+			$_POST["pass"] = md5($_POST["pass"]);
+			$dbh = db_connect();
+			$q = "SELECT ID, Suspended FROM Users ";
+			$q.= "WHERE Username = '" . mysql_real_escape_string($_POST["user"]) . "' ";
+			$q.= "AND Passwd = '" . mysql_real_escape_string($_POST["pass"]) . "'";
+			$result = db_query($q, $dbh);
+			if (!$result) {
+				$login_error = __("Error looking up username, %s.",
+							array(htmlspecialchars($_POST["user"])));
+			} else {
+				$row = mysql_fetch_row($result);
+				if (empty($row)) {
+					$login_error = __("Incorrect password for username, %s.",
+							array(htmlspecialchars($_POST["user"])));
+				} elseif ($row[1]) {
+					$login_error = __("Your account has been suspended.");
+				}
+			}
+
+			if (!$login_error) {
+				# Account looks good.  Generate a SID and store it.
+				#
+				$logged_in = 0;
+				$num_tries = 0;
+				while (!$logged_in && $num_tries < 5) {
+					$new_sid = new_sid();
+					$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) ";
+					$q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())";
+					$result = db_query($q, $dbh);
+					# Query will fail if $new_sid is not unique
+					#
+					if ($result) {
+						$logged_in = 1;
+						break;
+					}
+					$num_tries++;
+				}
+				if ($logged_in) {
+					# set our SID cookie
+					#
+					setcookie("AURSID", $new_sid, 0, "/");
+					$_COOKIE['AURSID'] = $new_sid;
+				} else {
+					$login_error = __("Error trying to generate session id.");
+				}
+			}
+		}
+	}
+
 	include('header.php');
 	return;
 }
diff --git a/web/template/header.php b/web/template/header.php
index a931f571..5230dc56 100644
--- a/web/template/header.php
+++ b/web/template/header.php
@@ -65,8 +65,30 @@ foreach ($SUPPORTED_LANGS as $lang => $lang_name) {
            <li>Lang: </li>
          </ul>
       </div>
-   </div>
-   <div id="maincontent">
-		 <!-- Start of main content -->
+      <br />
+      <div style="text-align: right; padding-right: 10px">
+<?php
+if (!isset($_COOKIE["AURSID"])) {
+	if ($login_error) {
+		print "<span class='error'>" . $login_error . "</span><br />\n";
+  }
+?>
+        <form method='post'>
+<?php print __("Username:"); ?>
+        <input type='text' name='user' size='30' maxlength='64'>
+<?php print __("Password:"); ?>
+        <input type='password' name='pass' size='30' maxlength='32'>
+        <input type='submit' class='button' value='<?php  print __("Login"); ?>'>
+        </form>
+<?php
+} else {
+	print __("Logged-in as: %h%s%h",
+			array("<b>", username_from_sid($_COOKIE["AURSID"]), "</b>"));
+}
+?>
+    </div>
+  </div>
+  <div id="maincontent">
+	  <!-- Start of main content -->