"In between the time a user requests a CAPTCHA and the time the CAPTCHA is scored, Asirra must keep state in order to recognize if the answer was correct, and do other accounting."

In this section, the paper only explores ways of keeping state on the server. But a better way to do this is to give the client an encrypted token -- as a cookie or as part of the form action URL -- identifying the CAPTCHA they were sent. Then the server itself can be stateless.

Interesting.