In addition to kyle's suggestion, I would consider placing the session in a cookie instead of having it floating around in hidden form fields.

Or give CGI::Session a try.