So what about checking for valid session cookies from before the ddos started?