you wrote:
In either case, it makes sense to also include the IP address of the user as part of the security check, adding security to either system.
Client IP address can change during a session (i.e. due to a pool of proxy servers)
so i would not include remote IP in session check.
a good (IMHO) way to generate an MD5 session ID could be:
use MD5;
my $MD5 = new MD5();
$MD5->add($$ . rand() . time() . (-A '/tmp'));
my $SessionID = $MD5->hexdigest;