They may have tucked away the "password" that is exposed in the image and expected in the post data in the session store. That way they just look at the data submitted -- and if it does not match the expected string action is taken.