Till Wehowski - 2019-11-12 17:00:28 - In reply to message 1 from I. Gaffling
an attacker may ignore the session cookie, so the session could be generated for a new session id on every request.
So the script would the every attackers request as it hits the page for the first time.
You may use additional security methods relying on session, e.g. a captcha or something else.