Okay, based on your suggetions, here's the algorithm I have so far.
0. Login security:
A. Presents login form with POST via https. Will not login except via https and POST, discarding URI data from invalid attempts.
B. Once it accepts the password, the script hashes said password, then compares the hash to a previously-created file named "hash.dat". If the values are the same:
i. A file "salt.dat" is generated (or salt info is added to hash.dat), using a hash of the current time or some random value. File contents are [salt, generation time].
ii. The script then sets a secure cookie (which the browser will only pass to the server over a secure connection) containing a hash of the password hash + salt, set to expire on browser close.
C. All login attempts, valid and invalid, are recorded to a file listing date/time, IP, whether the login succeeded, and why it failed.
D. So long as the salt is less than half an hour old, and the cookie is present and valid when compared to a hash of hash.dat + salt, the updater will stay logged in.
3. Logout: The script clears the salt file by setting its contents to [0, 0], then clears the cookie by changing its contents to "expired" and setting its expiry to now.