That isn't good coding to have the password displaying in the URL.
header.location( "http://www.thissite.com/login.php?user=" . $_POST[username] . "&pass=" . $_POST[password] . "&ref=0000" )
All you need to do is. Display the login box on the primary site then set the form action to the secondary site, i.e