Are you sure it's not referring to the session ID when it says the hash?

I think it means to suggest that you should send in your response a key value pair of response -> session ID that you get from the headers when you load that form.