CAPTCHA is currently keyed by session ID, which is wrong, because if you edit multiple pages at the same time, the CAPTCHA values will clobber each other. We should generate a random number, embed it in the form as a hidden field, then use that to validate the returned CAPTCHA.

A better approach would be to throw out the stored-value stuff, and use one way crypto:

[REDACTED -- this solution won't work]