There are two ways that you can use the SP to protect content:
Actively, by intercepting requests for particular resources and ensuring that a valid, authenticated session exists between the user agent and the SP software before passing along the request
Passively, by publishing information about valid, authenticated sessions through CGI variables, but passing unauthenticated requests through unmolested
In both cases, the information about the session supplied by the SP is provided uniformly so that applications can be programmed to respond dynamically based on the information. The AttributeAccess topic describes this mechanism in detail.
...
When using passive protection, you do NOT apply the requireSession content setting to the resource, but merely ensure that the SP software is active for the request (or often simply for the entire virtual host). For details, refer to the appropriate web server configuration topic (Apache, IIS, FastCGI).
...