The same Captcha code can be used unlimited times (defeating purpose of captcha)

[skeets23]

If you manually fill out the captcha and submit the form, as long as you don't load a new captcha, you can then use the same captcha code to post to the same URL unlimited times.

It seems like the validator for the Captcha should also clear the bone_captcha session variable after validating the captcha, to avoid allowing the same code to be allowed multiple times.

As a workaround for my current project, I just manually wipe the bone_captcha field after it validates successfully. Then the user is required to load the captcha image before supplying the code (which makes a lot of sense).

If for some reason it's difficult to clear the bone_captcha session variable in the validator (I suppose this might be a backwards incompatibility issue, in the case that a project validates the captcha multiple times in a single request for some reason), then it should at least include in the examples in the readme that the bone_captcha session vairable must be wiped after a successful validation.