ASP session objects work on cookies. Because you are opening a new window in the same browser thread, it shares the cookies that are local to that thread. If you "Open In New Window...", it spawns a new local thread with the same base cookie file, but you should be able to login and do other things from there. You'll find whichever browser window that you close last will write to your global cookie file.
Session Objects are somewhat flawed, and you can never gaurentee that Abandon() will ever be called on a Session or Application object. It may be in your best interest to manually manage the cookies. I've never found an ASP application where the problems in the Session object were outweighed by it's convenience.
--
jaybonci