I'm an experience developer new to ASP. I am building a typical site where
user are limited to certain areas based on a password. I think the logic
works as follows... The user logs in and security information must be stored
in the Session object. When the user requests a page, the ASP sends information
to IIS to see if the user has right to access the page. Is this correct?
If not please enlighten. Any info on sites, books etc would be appreciated.

Thanks in advance.