I would like to make a simple user login/registration system using php and mysql. I don't need to get any information beyond what is necessary for the user to log in and out. I want to make sure that the system is secure.
The way that I currently understand how it should work is:
Registration
User enters their email address and password and confirmation password.
The php script makes sure the passwords match and that the email is a valid address and is not already in the database.
It hashes the password along with a random salt and stores the salt and resulting hashed password in the database. (Is php's md5 function suitable for this? I am not quite sure how this part works.)
Store an email confirmation code in the database and send the given email address a link back to the website that contains that code for verification?
Login
User input their email address and password.
The server looks up the email in the database and retrieves the salt. Then hashes the salt with the password the user just provided to see if it matches the one in the database.
How do I make the session persist after login. With a php session? A cookie? What should get stored in the cookie for remembering the user between visits?
I basically would just like some verification that the process I am describing is an accurate and secure way of doing user registration/login. Also, what are some good tutorials with more information.