Guess I should've thought of this first but it didn't dawn on me until I saw the answer from @Carl Raymond that I can just crack it open in reflector. So to answer my own question

public void Init(HttpApplication app)
{
    if (!_fAuthChecked)
    {
        _fAuthRequired = AuthenticationConfig.Mode == AuthenticationMode.Forms;
        _fAuthChecked = true;
    }
    if (_fAuthRequired)
    {
        FormsAuthentication.Initialize();
        app.AuthenticateRequest += new EventHandler(this.OnEnter);
        app.EndRequest += new EventHandler(this.OnLeave);
    }
}

OnEnter calls the private method OnAuthenticate which passes in the application context and this is where it validates/writes out the Form Auth tickets.

In OnExit it checks the response for a Http Status Error Code 401 and if it finds it, that's when it redirects to the Login Url.

This is handled by an HTTP module, System.Web.Security.FormsAuthenticationModule. If you look at the system-wide web.config file, c:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config, you can see where it's mentioned in the <httpModules> section. The site-specific web.config file will inherit the configuration in that file.

On each request, the module will look for an authentication cookie. If it's not present, the request is redirected to the login page. On a successful login, an authentication cookie is sent back to the browser. Then on subsequent requests, the browser will send the cookie, which will be validated by the module, and then the request is handled as usual.