whenever an user is login into application,new session is created with a cookie for that user.This cookie becomes the session Id,so all the subsequent request use this as reference.Check those details on Page loading.
Come across good article.Please read following article.
http://www.codeproject.com/Articles/859579/Hack-proof-your-asp-net-applications-from-Session?msg=4973233#xx4973233xx