Session cookie sharing could bypass csswaf #5
Description
A bot that successfully passes the challenge could forward it on to other bots in the bot network and use it to access the page without needing to validate
While it is relatively difficult to prevent these classes of attacks altogether, the solution from Anubis and my PoC is to use the source client's IP address and other info to produce a unique-ish identifying hash, which imo is more sound than using session cookies for this