Oh my... login systems are something everyone needs but are so easy to break/mess up. And most of the "3rd party freely available ones" won't do what you need/want.
General Data Structure You essentially need a table (bare minimum) to hold your user information, such as (~rough schema):
ID, username, password
You can add more fields for specifics: full name, company, corporate code, etc. It seems you got a good handle on this part.
Registration It sounds like you have 2 tables doing the same thing: table 1 holds user accounts that are active; table 2 holds user accounts that are "pending". I would scrap this for 1 basic table:
ID = database/entry ID (auto increment; integer)
status = status of account (active|inactive|pending|etc)
username = username user uses to login with
password = password of user; store the encrypted form!
name = name of user (full name)
email = email of user
conf = confirmation # / code
You can add more fields as wanted (phone, address, account created, last updated, etc).
Note that your user will have a password, like "orange". Instead of storing "orange" in the DB, store an encrypted version of this password. IE:
$password = "orange"; //user's password
$DB_password = md5($password); //store this value in DB
Then, when a user logs in, you "md5" (encrypt~) their password and compare the encrypted versions against each other. This is a level of security for your users and system.
Now, the key here is the "status" field. You can enter values of whatever you want... "true", "false". "0", "1". Or words: "active", "inactive", "deleted", "pending", etc. You can then use this value within your queries to get your desired effect!
Specifically... when someone first registers (however you do it). The user account info is created in the table and a "code" is generated in the "conf" field (or whatever). The user is then given their info and this code. But initially, the account is marked 'status' of "pending". This way, the user can be blocked from logging in/access. When a user first logs in (or follows an activation link), they can provide their details and the code. If it all matches up, you just update the DB entry to reflect the status as "active" (or such). Then allowing the user access. This puts the info all together into one table.
You can then setup a CRON script to run regularly (~every day; etc). It can swoop through the DB and permanently delete records that are "inactive"; or delete "pending" accounts that have been pending for a significant amount of time (this would require adding a date/time type field to know when account is created); etc.
Do you know how to write this type of code? It is matter of some HTML and PHP commands to run the queries. People here (including myself) can help you if you need specific help with specific code. But we are not here to write your entire code for you. :)
Logging In When it comes to logging in... get the user's username and password. Check that they validate. If a user validate, my personal preference is simply to start a marker in the PHP session to note whether there is a login or note. IE:
<?php
session_start();
//(assume user is logged in and validated above)
$_SESSION['login'] = array();
$_SESSION['login']['active'] = true;
$_SESSION['login']['lastlogin'] = time();
$_SESSION['login']['username'] = $username;
$_SESSION['login']['userid'] = $users_id_num_here;
//(etc)
?>
Then... you have a lot of flexibility in the login. PHP handles all of the cookie aspects and takes that duty away from you. It also simply adds a toggle for your scripts... instead of adding code to "check for login" to all your pages, all you really need is...
if (!$_SESSION['login']['active'])
{
//ERROR: User is NOT logged in. Force login. Redirect. Etc.
}
By tracking the username/user ID, it also allows you to easily identify the current user. And tracking some time information (like 'lastlogin')... you can arrange some functionality that looks to see if it has been a long time since last login and force a new one. Etc.
Hope this gives some login info for you to consider.
