The webserver has of course no innate notion of sessions. It will have a user-name in the environment, based upon the log-in and password the users provided.

For all Apache cares, you could have multiple users using the same user-name and password (unless you specifically check that in your scripts).

What you seem to see as "tracking" user sessions is your clients browsers remembering the "realm" it enters and sending automatically the username + password when Apache asks for authentication (which it will do each time you request a restricted web-page).

If you use Firefox and you have installed the WebDeveloper extension, you can clear the HTTP authentication and your browser will ask you to input the username and password again.