Good question. The official max length of a cookie is 4K, which should be policed for you by Apache, such that a cookie larger than this will not be accepted as a valid request (and so not passed to your Perl script).

In terms of a large (eg. 4K) fake session ID breaking anything, this sounds unlikely, since CGI::Session will try to match this against your existing server-side cookie store (may be files or database depending on your settings), and when it fails to find a match it will ignore it and generate a new session ID instead.

I don't believe that simply testing for the existence of a (non-existent) 4K filename/database key will do any harm in itself, unless anybody knows otherwise?