Asp.Net use 120 bit identifier to track each session. This is secure enough and can't be reverse engineered. When client communicate with server, only session id is transmitted, between them. When client request for data, ASP.NET looks on to session ID and retrieves corresponding data. This is done in following steps,
- Client hits web site and some information is stored in session.
- Server creates a unique session ID for that clients and stored in Session State Provider .
- Again client request For some information with that unique session ID from Server.
- Server,looks on Session Providers, and retrieve the serialized data from state server and type cast the object .
Just have a look on the pictorial flow,
Fig : Communication of Client, web server, and State Provider