add at least one solved token to an ImageCaptchaSession

Currently it might happen that 0 images in an ImageCaptchaSession are a positive example for the task that should be solved. This could be used by an attacker to brute force the captcha.

The number of minimum required truly solved tokens should also be random.