--- captcha.module	2011-02-06 21:45:12.000000000 +0100
+++ captchaNew.module	2011-02-18 18:58:53.000000000 +0100
@@ -211,9 +211,14 @@ function captcha_process($element, $edit
     '#value' => $captcha_sid,
   );
 
-  // Additional one time CAPTCHA token: store in database and send with form.
-  $captcha_token = md5(mt_rand());
-  db_query("UPDATE {captcha_sessions} SET token='%s' WHERE csid=%d", $captcha_token, $captcha_sid);
+  // Get the token for a captcha_sid
+  $captcha_token = db_result(db_query("SELECT token FROM {captcha_sessions} WHERE csid = %d", $captcha_sid));
+  // Generate a new token if the token could not be retrieved (but not if the form has been submitted, because otherwise the session could be reused.)
+  if (! isset($captcha_token) && ! $form_state['submitted']) {
+    // Additional one time CAPTCHA token: store in database and send with form.
+    $captcha_token = md5(mt_rand());
+    db_query("UPDATE {captcha_sessions} SET token='%s' WHERE csid=%d", $captcha_token, $captcha_sid);
+  }
   $element['captcha_token'] = array(
     '#type' => 'hidden',
     '#value' => $captcha_token,
@@ -518,8 +523,10 @@ function _captcha_get_posted_captcha_inf
           // Invalidate the CAPTCHA session.
           $posted_captcha_sid = NULL;
         }
-        // Invalidate CAPTCHA token to avoid reuse.
-        db_query("UPDATE {captcha_sessions} SET token=NULL WHERE csid=%d", $posted_captcha_sid);
+        // Invalidate CAPTCHA token to avoid reuse. Don't do this when form is not submitted.
+        if ($form_state['submitted']) {
+          db_query("UPDATE {captcha_sessions} SET token=NULL WHERE csid=%d", $posted_captcha_sid);
+        }
       }
     }
     else {