This would be one of those "yes... and no" type situations.

Yes, each person accessing the site would basically get their own 'session' in their interactions with the site. However... (and that's a strong word, however)... This is in large part affected by the methods and practices used in developing your code-behind components.

At the basic level, variables and passed information will relate to the session of the person who initiated them unless programmed otherwise. However, without specifically taking session states into account there are areas where this can go wrong and potentially cross populate information if mis-coded.

Hope that helps :) Please remember to mark as solved once your issue is resolved.

Defined session states (or equivalents) can add more direct control on the part of the coding that you implement but are not necessary for most day-to-day implementations of ASP.Net per-se.

Beyond that, I'll leave it to others more expert than I am to offer opinions on the importance (or lack of) of session state control and any scenarios where it might be more important than others.