Even without an ID in the post, you could hash the input and search for a matching value in the DB, right? So not having an ID along with it isn't proof they aren't hashing tokens, but... I think hashing tokens, especially session_id, is a good defense-in-depth practice which almost no one is following.

> Even without an ID in the post, you could hash the input and search for a matching value in the DB, right

Hmmm indeed! if we hash incoming value before searching then it would work. So with blackbox it's impossible to tell, I'm sorry.