UPDATE: I found the answer here:

http://www.concrete5.org/community/forums/customizing_c5/passing_se...

Sorry about the double post - I guess I wasnt looking hard enough at the forums.

====================================
Seems like Concrete5 hijacks the superglobal $_SESSION variable. Which is, well, weird. Let me explain:

Throw this code into your run-o-the-mill default C5 template:

$_SESSION['testvalue'] = "Testing";
print_r($_SESSION);
echo SID;
echo session_id;
echo '<a href="/testsession.php?' . SID . '">test</a>';

Where testsession.php looks like so:

<?php
session_start();
print_r($_SESSION);
?>

Strange goings on - In C5 you can easily assign a value to $_SESSION and it will be maintained on all C5 pages - if you break out of C5 you loose the session. Also, as you can see I am trying to print the session id from within C5 - no such luck.

I could spend a great deal of time listing the reasons why I find this strange and mysterious - I will spare you all that and just ask:

Why does C5 do this? Some security issue? How does it do it? Any way around this limitation?

Thanks!