Session keys are used when encrypting and decrypting data. They are created by applications using either the CryptGenKey or the CryptDeriveKey function. These keys are kept internal to the CSP for safekeeping.
Unlike public/private key pairs, session keys are volatile. Applications can save these keys for later use or transmission to other users by using the CryptExportKey function to export them from the CSP into application space in the form of an encrypted "key blob." (This procedure is discussed in Exchanging Cryptographic Keys.)