That's correct - i double checked that and it's a form sent which leads sent to a destination which is unknown here. And a big + here is that, if someone has already malware and a cookie stealer on the PC, reading the __session Cookie and reveals Keys in readable format.