And, of course, your server side keeps track of when it spits out the form, using some unique token embedded in the form/session cookie/whatever, and when it receives the response for that uniquely identified form.

Otherwise an unscrupulous test-taker could just save off the page, complete the quiz at their leisure, and then shove the form data back at your server, and you'd be none the wiser.