# somewhere at the start of some handler of CGI script...

my $session  = CGI::Session->new("driver:File", $query, {Directory=>'/tmp'});

if (my $user = $session->param('user')) {
   # user is already logged in...
}
elsif (my $user = get_user($query->param('user'),$query->param('password'))) {
   # store newly logged in user in session
   $session->param('user',$user);
}

       
# somewhere else

print $session->header( -some => 'value' );
# instead of $query->header.