Write authorization system. A few questions

1. Only if you need the address for future use, because the validation in the online stores from us, usually by a telephone call that allows you to check the availability of user and order (almost 100%). In fact, the address can be verified and after working with the online store and it is in response to give sweet buns some and then send newsletters with new arrivals to destinations which are interesting to him.
\r
2. There is a sense of checkbox by default, but if a person doesn't want it just uncheck the box. A not advanced users now don't think about it, accepting by default that the site remembers them. And I recommend to run through popular services like Odnoklassniki, myspace, etc. and check it out as they have not occupate from this — the similarity in visual terms and the behavior of the standard set of controls is one of odnosnik settings user-friendly interface.
\r
3. Would recommend to bind not only to the user name (or just do NOT to him), and to the browser — the username the session is always the same, but if the data browser to bind, then dragged along the cookie with the session villain will have to juggle and all the identification data of the browser.
\r
4. The idea session and is needed in order not to climb each time for verification. Now you have a nonsense — what for to check whether the username and password in database from the session if the session you do them and put? How are they different? Unavailable to the user changing session data, it makes your script.

1 and 2 — make it simple for the user, the better
3. The salt is more than desirable.
4. Suggest to read about sql injection :)

everything below is subjective
1. for online store it's too much. the use three options: ordering without registration, registration via openid, regular registration.
\r
2. has, it is very convenient. only title the checkbox to make short obyasnenie why this is.
\r
3. salt is needed in order to "aggravate" the hash, and most importantly for what would in the database were single hash (and next to salt) and in session writing with salt.
\r
4. I usually "guest" put in the cook id=1 and password md5(rand()), and the pages already checking if the value id is greater than 1 then make the identification, if 1 then no.
\r
don't forget to mysql_escape()

1. Without activating the soap at first glance, easier and more convenient. But I think user will be frustrating to know that he made a typo in the email address field when you need to recover the password to uchetku. Although here, too, depends on the purpose of your service binding to soap, as such, do not really need.
\r
3. Use your bike? Why?
\r
4. >check for session data and then I have a mandatory request to the database
that's out of this and grow the miracle scripts that put cancer any server. Here zaprosik there zaprosik. Don't be lazy, do it from a human, besides, it is more convenient.

it is not clear why do we need paragraphs 3 and 4.
I would have understood if the token was disposable, and so you just repeat the existing mechanism of the session hanging on him any unnecessary bells and whistles.
\r
store user_id in session and a flag is_logged and clean session when tagine.