When you're explicitly calling WebSecurity.Login, behind the scenes, .NET writes a cookie to the client's browser. As you know, cookie data is sent to the server with each request.
Because WebSecurity.IsAuthenticated looks for the authentication cookie, it will return false until the user makes a new request.
