Because any request to a given resource on a given domain -- images, scripts, stylesheets, everything -- includes all the cookies for that domain, which includes the session cookie. ASP.NET sees the ...