Securing Your PHP Sessions with a Random + Unix Timestamp Salt (old, use bcrypt)

login-table.sql

CREATE secure_login (
  `id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
  `email` VARCHAR(120) NOT NULL,
  `salt` VARCHAR(8) NOT NULL,
  `password` VARCHAR(40) NOT NULL,
  `session` VARCHAR(40) DEFAULT NULL,
  `disabled` TINYINT(1) UNSIGNED DEFAULT 0,
  # your hidden salt will be the reverse of the created_dt value
  `created_dt` INT(11) UNSIGNED,
  `modified_ts` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
  PRIMARY KEY (`id`),
  UNIQUE INDEX `uniq_idx` (`email`)
) ENGINE=InnoDB CHARSET=UTF8;

login-validation.php

<?php
/**
 * @param string $pass The user submitted password
 * @param string $hashed_pass The hashed password pulled from the database
 * @param string $created_date The user's created date pulled from the database
 * @param string $hash_method The hashing method used to generate the hashed password
 */
function validateLogin($pass, $hashed_pass, $created_date, $hash_method = 'sha1') {
	$salt = strrev(date('U', strtotime($created_date));
	if (function_exists('hash') && in_array($hash_method, hash_algos()) {
		return ($hashed_pass === hash($hash_method, $salt . $pass));
	}
 	return ($hashed_pass === sha1($salt . $pass));
}

password-hashing.php

<?php
/**
 * created_date must be a valid date() formatted string
 */
function create_hash($string, $created_date, $hash_method = 'sha1') {
	// the salt will be the reverse of the user's created date
	// in seconds since the epoch
	$salt = strrev(date('U', strtotime($created_date));
	if (function_exists('hash') && in_array($hash_method, hash_algos()) {
		return hash($hash_method, $salt.$string);
	}
	return sha1($salt.$string);
}