Hi Yongpyo,
you can verify the username/password with the core.authenticate, after which you can initialise the session.
Underneath a piece of code from the "forgotpassword module” which illustrates the usage.
ISession session = Core.initializeSession(user, (this.getSessionFromRequest(request) != null ? this.getSessionFromRequest(request).getId().toString() : null));
response.addCookie(this.getSessionCookieName(), session.getId().toString(), "/", "", -1, true);
response.addCookie("XASID", "0."+Core.getXASId(),"/", "", -1, true);