my %who = ();                   # tied hash
my %c = fetch CGI::Cookie;      # received session cookie
my $sid;                        # session id
my $sc;                         # session cookie to sent
 
if (%c) {   # check existence of cookie
    # print STDERR Dumper %c;
    if (exists $c{sid}) {   # check existence of session id in cookie
        $sid = $c{sid}->value;
        # untaint:
        ($sid) = $sid =~ /(.+)/;
    }
}       

if ($sid) {
 
    # attempt to retrieve user information from session id
    eval {
        tie %who, 'Apache::Session::File', $sid,
        {
            Directory => $session_dir,
            LockDirectory => $session_lock_dir,
        };
    };
    if ($@) {
        # can't revive session id, probably already garbage-collected
 
        $sc = create_cookie($sid, "expires");
        undef $sid;
    }
} 

# if login is submitted, tie a session and retrieve $sid
 
if (param('login')) {
    my $uname = param('uname');
    my $upass = param('upass');
    my ($uinfo, $mesg) = $db->auth_user($uname, $upass);
 
    unless ($uinfo) {

        # failed authentication. do smth and exit.

    } else {

        # generate session and send cookie in header
        eval {
            tie %who, 'Apache::Session::File', undef,
            {
                Directory => $session_dir,
                LockDirectory => $session_lock_dir,
            };
        };
        if ($@) {
            die "Can't create session: $@";
        }
        $sid = $who{_session_id};

        # store anything valuable 
        $who{name}  = $uinfo->{name};  
        $who{gname} = $uinfo->{gname}; 
    }
}

if (exists $who{name}) {        # if (%who) doesn't work here! why? 

  # a user is currently logged in. 
  # do smth he/she is allowed to do

} else {

  # user is not logged in
}