There's no session ID for current user. They can try to use IP as identifier. Admins can send remoteip to google to prevent spoofing but that parameter is optional and I suppose they don't rely on it.
Would require an extra roundtrip... Problem is that you get challenges with client side and solve it with server side. It's website who should go, get a challenge for you, put it in your session cookie and make sure you don't go and get another one. Which complicates it a lot
Why don't they just invalidate the current challenge when a new one is requested? :S