There's no guarantee that a user will be coming from the same IP address for every hit. AOL users, for example, have rotating proxy servers.

I would use something time-tested like CGI::Session instead. It has an interface for MySQL databases and makes all the session-handling details easy as pie.