Hi all:

A new project requires a simple panel(page) for admin and staff members that :

• Preferably will not use SSL or any digital ceritification stuff, a simple login from via http will just be fine.
• has basic authentication which allows only admin to login as admin, and any staff member as of the group "staff". Ideally, the "credentials(username-hashedpassword pair)" will be stored in MySQL.
• is simple to configure if there is a package, or the strategy is simple to code.
• somewhere (PHP session?) somehow (include a script at the beginning of each page to check user group before doing anything?), it will detect any invalid user attempt to access protected page and redirect him/her to the login form.
• while still keeps high quality in security, something I worry about the most.

Frankly I am having little knowledge about Internet security, and how modern CMS such as WordPress/Joomla do with their implementation in this.

I only have one thing in my mind that I need to use a salt to hash the password (SHA1?) to make sure any hacker gets the username and password pair across the net cannot use that to log into the system. And that is what the client wants to make sure.

But I really not sure where to start, any ideas?

Thanks a lot in advance.