A spam-bot might post straight into the FORM's action
page, that is, the asp that does the captcha check.
Since the bot hasn't loaded the previous HTML and thus
hasn't "seen" the captcha image, it has no cookie.
When you check for CStr(SessVal) = CStr(TBoxVal), you
let him post because "" = "".
Attached patch verifies the session var is set :)
2006-08-24 15:23:56 UTC in The ASP CAPTCHA Project
