BE is configured to use Forms Authentication, the main authentication method available in ASP.NET. You can see this in the Web.config file:
<forms timeout="129600" name=".AUXBLOGENGINE" protection="All"
slidingExpiration="true" loginUrl="~/Account/login.aspx" cookieless="UseCookies"/>
Forms authentication is configured here to use the cookie .AUXBLOGENGINE (see above). Roles are also being used. This is configured in the Web.config file too:
<roleManager defaultProvider="XmlRoleProvider" enabled="true"
Typically though, I don't believe you can access ASP.NET Forms authentication or roles data from classic ASP. The forms authentication cookie and roles are encrypted and decrypted within the ASP.NET environment. There might exist some ways to
access the login data from classic ASP ... a Google search would probably turn up a bunch of hits.
The BE login page is using the built-in ASP.NET Login control which handles passing the information entered in to the membership provider to check and make sure the password is correct. This process can be done manually without using the Login control
as well. It can be done manually because the membership system exposes an API to log people in under, check their roles, etc.
The admin menu (to go to the control panel) is defined in the Web.sitemap file in the root folder. This defines the menu items as well as the Roles required for the user to have in order to access those menu items. In the /admin folder there's
a file named menu.ascx.cs that looks at this Web.sitemap file and outputs hyperlinks that the current user has access to.
Security is also enforced with the Web.config files in the subfolders. There's a Web.config file in the /admin folder, as well as the /admin/pages folder, and some other folders as well. These Web.config files define which users and which roles
are allowed to access the folder and pages within the folder.
In summary, there's basically a lot of different components at work that make up the whole system. Some of the authentication is handled by BE code when it checks a user's role to see if they can do something. But a lot of of the authentication
is automatically enforced by ASP.NET. If a web.config file says that only "admins" can access a page, ASP.NET makes sure that when that page is being accessed, the person accessing it is logged in and in the "admins" role. This
type of security automatically occurs without any special coding.