CGI::Session doesn't realy take the place of cookies but it suplements them. Since the data for a session is stored on your server you know it is more secure than a cookie. As you mentioned cookies can be changed. I normaly store some sort of session ID in the cookie and use that + the IP address (CGI::Session will handle that for you) to then retrieve the session data. In that way no real data is stored on a users machine and it would be harder to use the cookie to steal access to the account. I think cookies are pretty reliable but even if they are not CGI::Session provides means for including that Session id in forms or links as well.