I just tested with a made-up session ID ("aaaaaaaaaahbbbbbbbbbbddddddddddd"), and that works too. It gives a Deposit address. Based on this test, it makes sense any session ID from a phishing website would work too (and it can even give the owner of the phishing website access to your real session too!).
Alternatively, any phishing site can get a real session ID from the real ChipMixer website and show that on their own phishing website.