Spoof checking is for low level session and form validation. With it turned off CB can't safely determine if the form was submitted internally or not. It is a security risk to disable it. I do not recommend disabling, but instead resolving the issue you're having with sessions (likely 3rd party conflict in most cases). Please also upgrade to CB 1.3 before making any adjustments.