To authenticate users, the application needs to be able to identify a user to verify they are who they claim to be. A common authentication process starts with a user who provides either an email address or a username together with a password on the login form, and the application will find the user's record by looking in the database using the email address or the username and then doing a comparison of the password that is stored in the database with the one that the user provides. If the user record does not exist or the passwords do not match, then the authentication fails. Otherwise, the application will consider the user as authenticated and recognize the user in the following requests, usually by storing the user's information in the HTTP session. The following figure is a high-level overview of the authentication process:

There are many variants of the authentication process. For example, instead of looking up users in a Database, the Application can talk to a server Lightweight Directory Access Protocol (LDAP) such as Active Directory, check an XML file that contains user data, or even use the user data stored in memory.