Unset session captcha after validating
Context: #3
The current captcha system is vulnerable to captcha replay attacks. In this attack, a captcha is requested once, solved once, and then the solved captcha is re-used in multiple requests. Attackers can use this to bypass captchas on donate.tpo and newsletter.tpo, allowing them to script small donations (a common technique for checking stolen credit cards), or sign people up to our newsletter repeatedly without their consent (which hurts our email reputation).
The vulnerability here is due to the captcha validation code never invalidating the captcha in the user session. Currently the captcha is only invalidated when requeesting a new captcha. Unsetting the captcha key in the session stops the re-use of captchas.
this MR won't fix all of the issues with our captchas, and tpo/web/team#27 and tpo/tpa/team#41112 (closed) are still relevant. obviously this change will need to be tested before deploying so that we don't break captchas for everyone in the case of a bug.