Auth and Session

Auth (better be quick)

Auth Related (more in logic, priv, and transport sections)

User/pass discrepancy flaw
Registration page harvesting
Login page harvesting
Password reset page harvesting
No account lockout
Weak password policy
Password not required for account updates
Password reset tokens (no expiry or re-use)

Session (better be quick)

Session Related:

Failure to invalidate old cookies
No new cookies on login/logout/timeout
Never ending cookie length
Multiple sessions allowed
Easily reversible cookie (base64 most often)