How do I handle user authorization the safest way?
You can muck around with client-side hashing, but in general POSTing the credentials over a secure (HTTPS) connection is considered sufficient.
This still leaves the possibility of MITM attacks… But performing an MITM attack on an SSL connection isn't entirely trivial, so it's probably not an attack vector you need to be too concerned with.
You say that SSL is too expensive for you, but most hosts offer it for free. The expensive part is getting a private IP address and formal certificate.
However, you could create your own certificate which would mean that all the details are still transmitted securely, it's just your identity that can't be guaranteed. As mentioned by David Wolever, MITM attacks are much harder to do; and anyway are probably not a concern for a hobby site.
Once (if) your site evolves out of being a hobby then you can invest in an assured certificate then.