Securing Web Forms with PEAR's Text_CAPTCHA
Subject:   Using $_SESSION variables
Date:   2006-09-03 20:38:21
From:   Lee73
Isn't using session variables a gigantic achille's heal? It's trivial to read this with Curl (or whatever) and automate away.

I wrote an implementation recently that wrote a captcha with values 'XYZ', a hidden field with code 'ABC'. Simultaneously write to a table with two fields: ABC and XYZ. The only way the user can read XYZ is through viewing the image. It's more overhead, but less easily bypassed.