Hi Laibach,
actually, this sort of failures is not because of "bad programming", or "bad implements, but because not all browser behave like they should, when it comes to session-ids and temporary content. Even if you tell FireFox, NOT to save any cache-items, it still saves the temporary parts and displays the "old" security code image with the wrong session-id, which is only valid for one time only. If you do any other request, before the input of the right code, the security code isn't valid any more and therefore a new security code is built. The "normal" function for the session would be deleting the session-id and cache-items and requesting the hole content from the server again, but due to performance reasons, FireFox isn't requesting a new session-id with the download of the new security code image and that's the reason, why these failures happen. 😉
… and no (!!!), there is no possibilty that this failure may be used for an exploit, because the server builts a new session-id and a new security image every time, untill you put in the right code. Any other code is blocked during this security procedure.
