Wouldn't you just store the values in a hash (keyed by the hostname, values are the time), and store that in the session? Then, as the request comes in, you would load the existing hash from the session, validate the current request, and refuse or update based on the results?

It has been a little while since I read through the C::S information, but check out CGI::Session::Tutorial, I would guess that there would be something that could be modified in there.

--MidLifeXis