If you are constrained thusly why not store the session id in the url rather than as a hidden field? If you are using POST for your data this should not involve a major change. Then refresh should work.

http://yoursite.com/session.cgi?id=MD5hash

# in the cgi
if ( $ENV{'$QUERY_STRING'} =~ m/id=(.+)/ ) {
     my $session_id = $1;
     valid_id($session_id) ? continue_session($session_id) : new_sessi
+on();
} else {
     new_session();
}
[download]

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print