Consider the following website defense against phishing schemes. The first time users come to a website, they enter their username and password and are given a choice between several pictures. The association between the username and the chosen picture is stored in the server database. In all subsequent sessions, the user types in her username and expects to be shown a picture. Unless the users see the picture they chose during their first session, they do not enter the password. This helps users avoid giving their passwords to fake websites.

In your report, describe how the proposed scheme can be compromised to allow a fake website to show users their chosen picture. $($Hint: Assume that this is not the user$$s first session, i$.$e$.,$ she has already chosen the picture.$)$