The first time a user requests a protected resource, the server will respond with status 401 (Unauthorized) and a WWW-Authentication header that tells the user agent what authentication scheme is in use. This will usually result in the browser displaying the login/password dialog. If the user provides a login and password, the browser will calculate a hash (at least for "basic" authentication, which is the common, standard one) and sends it in an Authorization header for future requests from the same server.
So the webserver knows you have logged in because your browser caches the authentication information and sends it for every request. There are no cookies involved, although the mechanism is very similar.