The Wikipedia article is fairly complete and accurate. There isnt much reason not to trust it. In any case, I have found this blog post which explains what salting is, why you should use it, and provides PHP examples of it.

For password recovery should never be about telling the user what their password is. This is too dangerous because if your system fails then you could inadvertently tell someone pretending to be the user that user's password. Since most users use the same password in multiple places you will have compromised their accounts at each of these locations.

Instead password recovery is about generating a new password temporarily. There are a few ways to implement this:

1. The easy, but not incredibly secure way, is to generate a new password for that user, store its salted and hashed form in the database, and email the password to the user. The danger here is that now the user has an email with their password in cleartext. Hopefully, however, they will change their password quickly. You can help mitigate this by requiring that the user change their password immediately after logging in after using this generated password.

2. A bit more difficult way is to never send the cleartext password and to never even generate one. When the user does password recovery you generate a special URL that that user can go to to create a new password for themselves. This URL should be relatively short-lived and it's probably best if your system never generates the same URL twice.

Both of these systems can include a confirmation email that is sent to the registered email address before starting the password recovery process. You'd send a short-lived URL to the user which they can go to to verify that they do want the process to start. This can help prevent people from attempting a poor-man's DoS against an account by repeatedly requesting a password recovery and thereby causing the password to always change.

Another way to help prevent this type of DoS is to use a password recovery question. Before allowing a password recovery to continue the user must answer a password recovery question correctly. To provide this system, allow the user to specify one (or preferably more) questions and their answers. The user should be able to create their own questions and write their own answers rather than selecting from a list of prechosen questions. When doing the recovery present the user with a randomly selected question.

When doing this, be sure it accept the answer in slightly varied ways. That is, punctuation and capitalization probably shouldnt matter in deciding if the answer is correct.

ok new problem my code cut:

<?PHP
session.auto_start;
session_start();
.........
$_SESSION['user'] = $usernam;
$_SESSION['pass'] = $passwor;
session_register();
setcookie("sessionid", session_id());

echo '

session id='.session_id();
echo '
cookie='.$_COOKIE['sessionid'];
}
?>

i get the session id when just looking it up, but i cant find out why it is not storing the cookie can anyone find my problem here?

i think i got it
for the cookie i now use:

setcookie("sessionid");
$_COOKIE['sessionid']=session_id();

and it got the ID

problem with index page now the php code:

<?php
if(isset($_COOKIE["sessionid"])){
session_id($_COOKIE['sessionid']);
echo 'Hello '.$_SESSION[user].'
Sign Out';
}
if(!isset($_COOKIE["sessionid"])){
echo 'Sign In';
}
?>

it dosn't say that the cookie is set here how do i make a cookie work for the whole URL not just one page?

PHP's session handling mechanism will already store the session ID in the cookie. When using PHP to manage sessions you can forget that the cookie exists entirely. You also do not need to use session_register(). If you want to set a session variable just use the $_SESSION array.