Though invisible to the users, a unique session ID is generated with each log-in. This ID is kept in cookies on the user's computer and sent to the server with each mouse click. The server keeps track of each session. It knows the associated user and what he or she is working on.
This has many benefits. A student cannot click "back" on the browser during an exam, because the server knows where the user is and will not serve up the previous question. Similarly, it is impossible to bookmark any page other than the opening page. However, if a student experiences power failure during an exam, the server will return the student to the exact question he or she was on after re-logging in (though time will still pass). If an experienced user tries to forge someone else's session ID by copying cookies or packet sniffing, the server will recognize the situation and foil the attempt. Once a user logs out, the server expires the session ID and the user's account is completely secure.
Apart from determined attack from experienced hackers, the only vulnerability of the system is collaboration: having one student take the test for another one. Instructors concerned about this vulnerability can schedule monitored sessions in a computer laboratory. This removes much of the benefit of having the exams on-line, but is useful periodically to keep the students completely honest.