ASP.NET sees the session cookie and loads the session (or doesn't, and starts a new one). This is why people recommend serving static, unauthenticated resources like images from a separate domain. How ...