Apr 05, 2012 03:23 PM|BrockAllen|LINK
Session has nothing to do with authentication. The [Authorize] attribute and any other security checks go against the built-in User object for User.IsInRole and User.Identity.Name checks.
Both session and forms authentication track the user with a cookie, but the point is that they're separate cookies with separate timeouts. And you don't have to use session to have authentication.
So with this bit of background info, what's the specific issue you're having?