Take a look at this piece of code:

function loginFunction($username = null, $status = null, &$auth = null) {
// Your login page code goes here
}

As you can see, the auth object has been passed passed to the loginFunction, so there's no point to define the $a as a global. You should use $auth to check the status of the session.

I didn't know at first where to use these contants to check for inactivity and failed logins. The problem is that you can't check before you $auth->start() because the auth hasn't been started yet. And you can't do it afterwards since the login page has already been displayed.

You need to do it inside the loginFunction() callback.

function loginFunction() {

global $a;
$status = $a->getStatus();
echo some error about the invalid login
echo your login form.

}

This seems so logical now, but I spent a good 10 minutes on this. Hopefully this will save