Thanks Karl for the answer.
In my case the customers will arrive from an extranet from a link that will give them access for a few hours. They will not have access to the password.
I know I can modify the function in index.php, but in case of update it may not work anymore. And as I did, I fill $_SESSION["login"] with $login_hash (like check_login()), but if I update the hash and the check_login() function it will not work anymore.
Maybe the check_login function could test the existence of an external hook_chek_login() function in a hook.php file.
If it exists, we call it.
If it returns :
TRUE=identification ok
FALSE = identification not ok
NULL = normal process
Or maybe a simpler solution, in check_login on the line $is_logged_in = !$is_logout && isset($SESSION['login']) && $SESSION['login'] === $login_hash;
Add another condition :
$is_logged_in = !$is_logout && isset($SESSION['login']) && ($SESSION['login'] === $login_hash || $SESSION['login']===config::$login_hash_external);
$login_hash_external would be in config.php, and $SESSION['login'] could be initialized in another file like what I did.
These are just ideas, there are probably better ones.