A typical web application requires credentials, in the form of a username/password, to perform authentication. The HTML form is used to ask for credentials in the browser, and then send them to the server. The server then authenticates the information, creates and maintains a session at the server side, and sends the session ID back to the browser.
The session ID will be sent in each request, and the server will map the session with the session ID and pull certain information from the database to perform authorization. The browser generally stores the session ID in cookies. As long as the session is active, a user can access the restricted resources, based on the authorities assigned.
This is a quite simple and easy mechanism for client-server interaction, and hence, it is still used by many web applications and services today. However, there are certain limitations...