Originally Posted by wdmny
Dew - The problem with your implementation of tracking the session is that you are passing the value to the bot. A smart bot would just post back all cookies and session values. The captchas yoey talks about address this problem because they hide the value from the bot.
A bot can not get your session, it could get the one in the form, so what? I think the risk of session hijacking for a form like this is pretty minimal. It's the fact that the token is passed both through the session and through the form that makes it work. So what if a bot gets the one through the form. If the form is not submitted from the site there will be no way for the numbers to match when the form processing scriot runs. These form hijackers are run from remote machines making this a bit dificult.
This is easier than a captcha as the user doesn't have to do anything extra.
Read here for more info on this.