IIS recognise with the use of session key each time when new user request for a page it genrate session key for that perticular user and with the use of that session key iis recognise a user.

Dy default sessions use cookies but difference is that it is encrypted and safe to travel