Registered users need to authenticate by supplying either a local username and password, or a remote username and password such as a jabber, Delphi, or one from another Drupal website. See distributed authentication for more information on this innovative feature.
The local username and password -hashed with Message Digest 5 (MD5) for Drupal 6 or SHA512 for Drupal 7- are stored in your database. When you enter a password it is also hashed with MD5/SHA and compared with what is in the database. If the hashes match, the username and password are correct.
Once a user authenticated session is started, and until that session is over, the user won't have to re-authenticate. To keep track of the individual sessions, Drupal relies on PHP's session support. A visitor accessing your website is assigned an unique ID, the so-called session ID, which is stored in a cookie. For security's sake, the cookie does not contain personal information but acts as a key to retrieve the information stored on your server's side. When a visitor accesses your site, Drupal will check whether a specific session ID has been sent with the request. If this is the case, the prior saved environment is recreated.