...."business logic"....
        my $cookie = get_session_cookie();
        print $cgi->header(
            #-Refresh => "3; $PAGE_AFTER_LOGON",
            -type => 'text/html',
            -cookie => $cookie
        );
.... remainder of page ....

sub get_session_cookie
{
    return unless $SessionID;

    my $cookie = $cgi->cookie(
        -name       =>  'session_id',
        -value      =>  $SessionID,
        -path       =>  '/',
        -expires    =>  '+4h',
        -domain     =>  '.some.domain',
    );
    warn "created session cookie: $cookie";

    return $cookie;
}