First, I doubt that '+h' is valid syntax for cookies. Which is probably the reason it stopped working. '+3h' on the other hand, is valid cookie syntax.

As for CGI::Session, it can store it's session value in a cookie or in a hidden variable or in the URL. The later two should pass through most firewalls. At least I never heard of a firewall that would parse the URLs and extract just the session ID. ;-)