It is used all over and contains the parameters (pairs) of the request. No it isnt/doesnt, $query seems to have a cgi object in it, but %query (a whole nother thing) if dumped would look like

{
$dsn               =>$sql_username,
$sql_password      =>$sql_user_table,
$sql_session_table =>$passhash,
$sessionhash       =>$uvId,
$username          =>$ipaddress
}
[download]

$query->param(...) is not the same as $query{admin} (which at times contains '72.168.129.123').

Those wern't the error.log lines of interest, the ones from this were

warn ("*****LOGIN ATTEMPT USER INFORMATION Uid: $uid username: $us
+ername  password: $password ipaddress: $ipaddress");
[download]

I understand old code too, been looking over the stuff i wrote back in '96, full of &subroutine calls, *var=... statements, raw socket setups, and require 'cgi-lib.pl' statements. But i cant find the dos bigperl code, it may only exist on floppys now

You need to step back and look at what is really going on, not what you think is going on. you are using global variables that you dont know where they are being set, ie

     #my $ipaddress = $session->remote_addr();
     warn("AccessInOutLog line 688: $username  $forename  $lastname $t
+imein $ipaddress $timeout");
[download]

I showed $session->expires() still works just fine, if you are not getting what you want by it you need to find out everywhere you change it and figure out which one is the last one to change it.

And warn(...) to the error.log is not the way to debug. You have stuff in there that shouldnt be there. Those logs could be archived for years and years.