AuthCookie & Frames

[FF...@Exchange.WebMD.net]

I'm having a slight problem using AuthCookie in our app because our app
(unfortunately) is a frames-based interface.  To summarize the problem and
efforts I've made to date, my goal is to be able to display a message on the
login page telling them why they are seeing the login page.  Options are:
'Login Incorrect', 'Previous Session Timed Out', 'Session Deactivated Due To
Login From Another Location', etc...

My first attempt was to try to just set values in the subprocess_env, and
since AuthCookie works by removing a user's cookie and then doing redirects
to the login page if a user is not validly logged in, I could always just
look at $r->prev->subprocess_env('login_error_msg') for the cause.  However,
since I am using frames, this doesn't work in all cases.

If for example a user is currently at a part of the site that has three
frames, and then walks to his co-workers office and uses that computer to
log in, we have invalidated his old session back at his desk.  If he goes
back to his own desk and tries to navigate in the app, we want to redirect
to a login page with the message 'Session Deactivated Due To Login From
Another Location'.  However, what happens is that he goes to click on
something, javascript gets called that changes the contents of all three
frames, so all three frames try to load new content.  This means 3 new
requests, and 3 passes through AuthCookie.  Well the first pass through
works exactly like I would expect and
$r->prev->subprocess_env('login_error_msg') has the proper error message.
The problem is that the other two requests also go through AuthCookie, and
since the first one already removed the cookie, the other two just see that
the user doesn't have a cookie and also redirect to the login page.  So what
the user is seeing is really the third redirect to the login page, which no
longer has any useful info in $r->prev->subprocess_env.  

So my next thought was that we need some sort of global "login messages"
object that could be shared across children and requests and could hold
login failure messages.  Since I'm already using Apache::Session, I thought
following the cookbook's recipe on how to use A::S for global data would be
good.  So I set up a session with a known key ("_loginmsgs") but then
realized there's no piece of info I can use to uniquely identify a
particular user/browser so that I can store a message for him.  I can't use
the session key since by the time it comes to look up if there are any
messages I should be displaying on the login page, there's no longer a
session key to reference (the cookie has been removed).  I then thought I
could just try the IP address but firewalls could make multiple users look
to be coming from the same IP.  I never really came up with something I
thought would work and was clean.  So, finally, the question is has anyone
solved this same problem, or does anyone have any ideas of what I should
try?

Thanks,
Fran