> 2. I don't think it's a global vairable issue. Basically, I just grab
> the cookie by $r->header_in('Cookie')
> and decrypt it.
It's what you do after that that matters.
> Besides, if it's global then the "mistaken" ID's should
> be from anywhere randomly.
True, but random may not always look random.
> There is this nagging fact that the parties involved are from the same
> ISP's i.e. user A1 and A2 are
> from foo.com, user B1 and B2 are from bar.com, etc.
You aren't using IP or domain as part of your ID generation, are you? That
would be bad.
- Perrin
