I'm developing a site that uses cookies to identify users. Initially, to generate the ID that I bake up each cookie with, I use this commonly seen code:

sub unique_id() {
    # Use Apache's mod_unique_id if available
    return $ENV{UNIQUE_ID} if exists $ENV{UNIQUE_ID};

    require Digest::MD5;

    my $md5 = new Digest::MD5;
    my $remote = $ENV{REMOTE_ADDR} . $ENV{REMOTE_PORT};

    # ** Note ** This is intended to be unique, not unguessable
    my $id = $md5->md5_base64(time, $$, $remote);
    $id =~ tr|+/=|-_.|;     # make non-word characters URL friendly
    return $id;
}
[download]

Currently, I'm trying this cheap Camel ripoff to untaint a cookie that was given to me from the client (ie. I've already generated the cookie for this client, so they pass it to my program, therefore making it tainted):

sub untaint_cart_id($) {
    my $old_id = shift;   
    my $cart_id;

    #print "$old_id<BR>";
    if ($old_id =~ /^([-\@\w.]+)$/) {
        $cart_id = $1;
    }
    else {
        die("Bad Cart ID");
    }
    #print "$cart_id<BR>";

    return $cart_id;
}
[download]

which dies often (in fact, anytime the cookie's ID doesn't contain a mix of -'s, @'s and word chars).

So how can I untaint the cookie when the user returns to the site? I obviously would rather not pull any /^(.*)$/ ugliness, because that doesn't get me anywhere.