> 2. I don't think it's a global vairable issue. Basically, I just grab > the cookie by $r->header_in('Cookie') > and decrypt it.
It's what you do after that that matters. > Besides, if it's global then the "mistaken" ID's should > be from anywhere randomly. True, but random may not always look random. > There is this nagging fact that the parties involved are from the same > ISP's i.e. user A1 and A2 are > from foo.com, user B1 and B2 are from bar.com, etc. You aren't using IP or domain as part of your ID generation, are you? That would be bad. - Perrin