confusion about session _csrf_token and meta/input _csrf_token

Hello, im new to phoenix and there is a confusion for me about csrf tokens.
simple scenario:
there is a login form which has a hidden input field with name=“_csrf_token” and value={get_csrf_token()} as attributes.
inside the action for handling form submission, i logged the received parameters (which includes _csrf_token from hidden field) and the session cookie (using get_session(conn)) which also holds a _csrf_token key. According to Plug.CSRFProtection docs, i expect the _csrf_token from parameters and the one stored in session to be equal but i see different values when logging them to console.
Plug.CSRFProtection docs says:

For this plug to work, it expects a session to have been previously fetched. It will then compare the token stored in the session with the one sent by the request to determine the validity of the request.

i think there is point that im missing here.

The comparison is somewhat more involved than just “session == param” to defend against an exploit:

The BREACH attack is described in more detail here:

https://www.breachattack.com/