This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
I think it's easier with a short description of how sessions are supported...
When you send the first request to a web site, the site decides to initiate a session (to remember this user and track their usage of the site) and sends a session token back to the client. Any request sent from the client back to that site will contain that token, just like saying 'Hey, remember me?'.
The client doesn't distinguish between sending requests for static or dynamic content as it really doesn't know. It just keeps sending requests and including the token, the server is free to make use of the token if it wants or can ignore it.
With session tokens, the client will continue sending the token until one of several things occurs. If the browser is closed the session is lost. If the token expires it no longer gets sent. If the server 'rejects' the token, the client stops sending it, although this is a special case of the previous case, since the server instructs the client to expire the token immediately.
Coming back to your second question, a pop-up window is created by the original browser instance and also passes the token to the server. There is a bug in some versions of IE where this doesn't work, but the general rule is that pop up windows don't affect the behaviour.