The real lesson here is don't re-invent the wheel. There are plenty of companies that have fully fleshed out auth/login solutions for you already. I never cease to be amazed with how many companies insist on building shit that already exists and come up with an obviously far shittier implementation.