So far you've only seen what happens when a user tried to access a page, but how does the logon process actually work?
Windows based security is the simplest because most of it is based on Window's response (all done on the same server or domain).
Forms based Security
This is a bit more complicated and there are two ways of doing it -
1) Without credentials in web.config
This is also simple but FormsAuthenticate (the object that handles form based security) does nothing but wait for information regarding what to do.
2) With credentials in web.config
You can clearly see that this does not rely on the developer to perform the authentication, the developer just sends the information to FormsAuthenticate and it handle's the rest (apart from when it comes back to the page, then they have to redirect or something).
Passport authentication is massively different to both of the above methods because it does a lot of switching between servers. There are two different ways the user can be authenticated -
1) Without Windows XP
Again, it relies on passport's response. Also, the cookies allow the user to any part of the passport network and the cookies assign information such as timeout, u/p and timestamps all generated by the defaults at passport.com
2) With Windows XP (running IE6)
The details for this way are sent through something called "passport authentication" that works differently to normal detail submission. There is however no details on the specifics of how it works and it seems to have an inconsistent authentication behavior. The cookies are also a bit different.