Rachel,
I've always considered WebAppuser and to a lesser extent WebAppSession to be "proof of concept" tables rather than designed for use in a production environment. For example, consider the LoginName and Password fields. Most web-sites use an email address for the login ID's and 20 characters would be totally inadequate so at the least this field should be much longer. Even if you use a login name of 20 characters or less, you still need to record at least one email address for each user so that would require another field(s).

Theories amongst security experts on the length of passwords change more often even than the medical industries opinions on whether a high-carb diet is good for you or not. Personally, I favour really long but memorable passwords so have a password field length of 100 characters. Whatever your opinion, what is generally accepted and in some jurisdictions legislated, is that passwords should be encrypted. 20 characters just doesn't cut it anymore.

Nowadays, multi-factor authentication is a real consideration which means that you probably need a mobile phone number in WebappUser. Most of my work is on B2B sites so I need rather more granular control over user rights than that provided by a single two-digit number, so all that goes into separate tables which link to WebappUser. In multi-tenant sites WebAppUser needs to relate to a Customer table so a join code is required. As I said, the standard WebAppUser table is really just a proof of concept.

Usually I ignore DF's WebAppUser and WebAppSession tables, leaving them sitting in the System area of Filelist.cfg and create my own tables elsewhere in the Filelist. DF expects you to sub-class cWebSessionManager and even cWebSessionManagerStandard is designed to be customised in areas such as UpdateSessionProperties so you're probably going to copy cWebSessionManagerStandard into another class file and modify it. Since most of the use of WebAppUser and WebAppSession tables occurs in the cWebSessionManager class, there aren't any serious consequences from changing these tables, just a bit of extra work.

Ian