OK, I can think of a few ways they might do this (DNS tricks and per-user IPv6 addresses, <src ip, src port, dst ip, dst port> => user mapping). These all seem significantly more complex than HTTP header injection though.