Index: captcha.module
===================================================================
--- captcha.module	(revision 1121)
+++ captcha.module	(working copy)
@@ -209,8 +209,19 @@
   );
 
   // Additional one time CAPTCHA token: store in database and send with form.
-  $captcha_token = md5(mt_rand());
-  db_query("UPDATE {captcha_sessions} SET token='%s' WHERE csid=%d", $captcha_token, $captcha_sid);
+//  $captcha_token = md5(mt_rand());
+//  db_query("UPDATE {captcha_sessions} SET token='%s' WHERE csid=%d", $captcha_token, $captcha_sid);
+  // Get the token for a captcha_sid
+  $captcha_token = db_result(db_query("SELECT token FROM {captcha_sessions} WHERE csid = %d", $captcha_sid));
+  // Generate a new token if the token could not be retrieved (but not if the form has been submitted, because otherwise the session could be reused.)
+  if (! isset($captcha_token) && ! $form_state['submitted']) {
+    // Additional one time CAPTCHA token: store in database and send with form.
+    $captcha_token = md5(mt_rand());
+    db_query("UPDATE {captcha_sessions} SET token='%s' WHERE csid=%d", $captcha_token, $captcha_sid);
+  } 
+
+
+
   $element['captcha_token'] = array(
     '#type' => 'hidden',
     '#value' => $captcha_token,
@@ -388,6 +399,8 @@
       $captcha_placement = _captcha_get_captcha_placement($form_id, $form);
       _captcha_insert_captcha_element($form, $captcha_placement, $captcha_element);
 
+      $form['#submit'][] = 'captcha_submit_invalidate_session';
+
     }
   }
 }
@@ -499,7 +512,7 @@
         $posted_captcha_sid = NULL;
       }
       // Invalidate CAPTCHA token to avoid reuse.
-      db_query("UPDATE {captcha_sessions} SET token=NULL WHERE csid=%d", $posted_captcha_sid);
+      //db_query("UPDATE {captcha_sessions} SET token=NULL WHERE csid=%d", $posted_captcha_sid);
     }
   }
   return array($posted_form_id, $posted_captcha_sid);
@@ -674,3 +687,13 @@
       break;
   }
 }
+/**
+ * Invalidate CAPTCHA token to avoid reuse.
+ * @param unknown_type $form
+ * @param unknown_type $form_state
+ */
+function captcha_submit_invalidate_session($form, $form_state) {
+  if (isset($form_state['captcha_info']['captcha_sid'])) {
+    db_query("UPDATE {captcha_sessions} SET token=NULL WHERE csid=%d", $form_state['captcha_info']['captcha_sid']);
+  }
+}