authentication - can it be bypassed or broken?
Can one access URLs and functions as an unauthenticated user that you could while logged in? Can you re-use the session token after logging off? Is there a "Logoff" feature?
Can you have multiple session as the same user at the same time?
What are the password requirements?
Can you re-use a previous password?