What should a secure login script consist of?

I am going to write a secure login script and I would like to ask what kind of component it should have.

For now this are the things that came to my mind

Basic

Using PDO as connector for mysql database
Securing passwords using SHA512 ( should there be a salt/token involved ? )
Session and cookie management, trying to avoid the hijack of the session id ( could you provide me with some article about it ? )
XSS prevention ( could you referee me an article ? )
SQL Injection prevention sanitation of the input
Secure connection over https

Registration

In terms of registration using a reCaptcha

Count the login attempts and block after 5 failure attempts to prevent from brute force attacks.

After login

Session timer with destruction ( 12 minutes to loose the session ) with a click to renew the timer [ does anyone has a example of this ? I couldn't find any ]

Are there any more major security hints that I should think off?

Thanks.

This is actually a nontrivial problem with a number of issues that need to be considered. Fortunately, a lot of the problems have been solved for you.

Password hashing: Use password_hash() and password_verify() -- don't use fast hashes like MD5 or SHA1, and also don't roll your own hashing strategy or else you'll find yourself reinventing PBKDF2 sloppily -- password_hash() does everything you probably want it to do without having to stress over implementation details. They are adequate; learn these tools well. If you're on PHP < 5.5 use password_compat
Database API: PDO is wonderful. Make sure you take full advantage of prepared statements to separate SQL queries from user-supplied data. Otherwise, doom.
Session Management: Use the built-in sessions, use HTTPS everywhere with no mixed content, set "httponly" and "secure" to true. Regenerate the session when privilege is escalated (e.g. the user logs in).

If you want to be paranoid, you can defend against session fixation attacks (which aren't really considered practical these days) by setting a canary session variable. Upon page load, if $_SESSION['canary'] is not defined (or does not match an expected value), destroy the session and treat the user as a new guest.
Rate-Limiting: Add a manual captcha after N login attempts (where N is greater than 1 but still very small).
Remember Me: Perfect example of "seems trivial, really isn't." Covered in this blog post. If you don't need it, don't implement it.
Account Recovery: A back-door by any other name. If you can get away with neglecting this feature, don't implement it at all. Most users are incapable of providing reliably secret answers to security questions.
Registration: You want at least a CAPTCHA here.
XSS Prevention: This is part of any secure web application, not specific to your login form. That said, HTMLPurifier is pretty reliable if you want to allow HTML and htmlentities($input, ENT_QUOTES | ENT_HTML5, 'UTF-8') is great if you don't want to allow HTML.