The session will always exist because it is defined above. You would have to switch the order for that to do anything.
Why not do a CAPTCHA server side using the one from webassist? The previous technique of putting the hash into a hidden form element was a good solution as well. I don't quite understand why you would remove it. Why would it need to match on first page load? Wouldn't you only need it to match after the form submits to send the email?