> Session data are tainted, because they are external.  Maybe there's a
> smarter way to untaint trusted external data.  But I have no idea
> right now.  Currently, You have to remove taintedness by yourself
> using "untaint".

The session data is not external, but the _key_ is.  I don't know how
this changes the discussion, but it seems important to me.

~ Patrick