There is an undocumented method that can tell you when a new session has been created called 'is_new'. That should tell you if the session ID already existed in the data store.

However, you can not guarantee that the session ID is invalid or that it has been tampered with, because the session may have timed out legitimately, or you ran a cleanup script that removed the session from the data store. So just because a session ID doesn't exist, does not mean that someone tampered with their cookies or URL parameters.

If you are truly concerned about tampering with the session ID, then you should sign them in some way. One way to do that, is to let CGI::Session generate a new ID for you, but tack on a small unique string to the end and encrypt the whole thing before sending it to the client. You are just encrypting a random string with a bit of text at the end, but only you can decrypt it. When you decrypt the ID, check to make sure it has the known string at the end, and you know you have a valid ID. If you can not decrypt the text, then the ID was tampered with (You may not even need the unique string at the end, but I am not a cryptanalyst, so I'd add the extra pre-caution in there).

That having been said, that is a lot of work just to guarantee someone didn't mess with a randomly generated ID. You need to ask yourself if it is really that important.