We shall focus on Step 2.
Passwords should not be stored as plain text in case the database gets compromised.
Best practice dictates that a salt be generated randomly each time. Why?
After a successful authentication, we need to create a cookie.
How could we do that?