In revisiting this thread, it occurred to me to pass some additional advice (as per Rendair's comment on encrypting or hashing the password). Most of these things I take for granted and forget to mention. At any rate, here are other notes / tips in no specific order-

• Try to keep the login process simple, don't add anything that will hang you up later.
• Make sure you store the password as a hashed value, minimum MD5, SHA1 / SHA256 recommended. Do NOT use the database 'Password()' function to hash the password. It's not portable and I don't trust it. MD5 and SHA1 are both innate PHP / MySQL functions. You'll want to find a class or use PHP's mhash functions for anything stronger.
• Store ONLY non-critical information in the session, e.g. the userID value or the unique token to match against a `logins` table.
• DO use session_regenerate_id() on each successful login check, e.g. each page request that checks against valid session data. Once the user is validated against the session / `logins` table, then regenerate the session_id and restore the data.
• Consider creating a 'remember me' cookie so the user can automagically log back in after closing the browser.
• Consider using a `registrationID` column in the database to match against to help root out spammers (in other words, once they've registered, have an email sent to them that will have a link matching their `registrationID` column value).
• DO NOT allow any database errors to show, e.g. using mysql_error() to send an error message back to the user on a non-login or an error. This is what SQL injection attackers look for. Trap all errors in a log if need be. Shut off the PHP ini display_errors setting.

Then create a cool web 2.0ish design wrapped around all that, maybe implement an XHR (Ajax) request for the login process, etc.

Once you've got it all done, trash it all and redo it as in OOP.

__________________

I reject your reality, and substitute my own.