@CMellor One thing that you might want to do is after a successful CAPTCHA request/response, clear the session's "captcha" value. Otherwise people can capture the session id and a successful CAPTCHA response, and use it over and over and over again (hmm sounds like something a bot would do). Also at the moment, there's nothing to stop people adding their own '?chars=0' to the end of the CAPTCHA image and then sending along an empty response.