May be my question is crazy.

1) ASP.net MVC is stateless, so there is no session involved in here.

How does the authentication module work and do you have any articles which you can point me to understand the Authentication basics.

What are the authentication information stored in.

[Novice MVC]

The web is stateless. Both ASP.NET and ASP.NET MVC have mechanisms for creating an application state. Advocates of MVC like that it provides the developer with more control over how state is managed and how requests affect the managed state than Web Forms. Web Forms encapsulates state with ViewState which is not part of MVC. The MVC pattern allows you to control every action (including managing the application state) on a much more granular level. This is probably where you got the idea that MVC is stateless.

As a side note, you should favor using the TempDataDictionary over HttpSessionState for storing state-related data, because the default implementation the TempDataProvider is a wrapper of the HttpSessionState). The pattern is a little different but a good article can be found at http://www.gregshackles.com/2010/07/asp-net-mvc-do-you-know-where-your-tempdata-is/

ASP.NET (and MVC) authentication usually works by leveraging Forms Authentication. It can be configured in your web.config. ASP.NET Authentication Configuration.

If your client's browser supports cookies, the default behavior is for your authentication ticket to be stored in a cookie.

Who told you ASP.net MVC was stateless? In any case, authentication info is usually stored in an encrypted cookie. It's exactly the same as webforms in this regard.

UPDATE

Regarding ASP.NET MVC, see here for plenty to get you started: http://www.asp.net/mvc

For ASP.NET forms authentication, see MSDN

Technically, you could go stateless if you sent HTTP header authorization with every request.