This is not actually a Wi-Fi mechanism. Such networks work exactly the same way as a fully open Wi-Fi network (i.e. no WPA or 802.1X or anything such), and your connection is fully established by the time you get the login screen.
Instead, for such "captive portal" networks, the actual sign-in procedure is implemented at IP level – using firewall and DNAT rules. It can also be applied to Ethernet, LTE (mobile data), or any other IP-based network.
The network's gateway has a DNAT rule that redirects all DNS (port 53) traffic to its local resolver and all HTTP (port 80/443) traffic to its local web server. No matter what website you try to visit, the router's own web server always responds with a "Redirect" response pointing to the login page. (All other kinds of network traffic are just outright blocked.)
When you log in, the system adds another firewall rule that exempts your device (by its IP and/or MAC addresses) from blocking and redirection, allowing you to finally access the outside network.
Note that although sometimes the login page pops up on is own, there isn't any mechanism here that would force your OS to show it. Instead the OS has to probe for such login pages by itself, by attempting to make a few HTTP requests and matching them against known responses. If the OS receives an unexpected redirect response, it assumes that's a Wi-Fi login page and shows it to you. (Web browsers also do similar probing on their own, as otherwise such redirects would cause a "certificate invalid" error page for HTTPS websites.)