Definitely start with the user system. Develop it around a users table in the database, starting with the login. Then just develop functions to check whether a user is logged in, whether they have appropriate access to go to a certain page etc.