my $ok;
$hash = &generate_hash( $USER, $passwd );
# ... confirm via hash
$ok = $hash eq $USER->{passwd_hash};
# if the hash-compare failed and the user still has a password, use that:
if (! $ok and defined $USER->{passwd}) {
        $ok = $passwd eq $USER->{passwd}
}

if($ok) {
    # generate session key
    # save session key in ??? (user or session table)
    # send login cookie with session key -
    #   for current browser session, 
    #   or a permanent one for cowboys
}