Well I would say it depens on where you want to use it. If it's in your company for example and people have no dynamic IPs it would be a good thing I think. I've done the same thing already and just did a module which is called by every Website and then check's ID etc. But I would suggest you to use a "LOGOUT" Function so that noone else can use that one for sure any more. But if it's for a website out there somewhere, use Apache::Session; is a really good idea for the reasons the others already mentioned. But nothing is "really" secure...you know that :)