there's a login page, which checks that a user is registered in our member database, and, if so, sets a session id cookie in SESSID, as well as a userid in TIUID. SESSID is generated using:

my $sessid = join("", @chars[ map { rand @chars } (1 .. 20) ]);
[download]

then, every page that is password-protected has the following at the top:

my $q = new CGI;
my $sessid = $q->cookie('SESSID');
my $UIDuser = $q->cookie('TIUID');
my %in = map { $_ => $q->param($_) } $q->param;

if (!$sessid)
{
    print $q->redirect("http://mydomain.org/memberarea/login/");
    exit;
}

my $cookie = $q->cookie(-name=>"SESSID", -value=> $sessid, -expires =>
+ "+2h", -domain=> '.mydomain.org');
print $q->header({-type=>"text/html", -charset=>"utf-8", -cookie=>$coo
+kie});
my $pagetitle;

my $dbh = DBI->connect('DBI:mysql:sitedatabase;host=localhost;port=330
+6', 'ouradminname', 'oursecretpassword')
    or die "Couldn't open database: $DBI::errstr; stopped";

my $sql = "SELECT UID, firstname, lastname, role FROM members WHERE lo
+ginkey = '$sessid'";

# Prepare the SQL query for execution
my $sth = $dbh->prepare($sql) ||
    die "Couldn't prepare statement: $DBI::errstr; stopped";

# Execute the query
my $result = $sth->execute ||
    die "Error executing: $DBI::errstr";

if ($result == 0)
{
    print $q->redirect("http://mydomain.org/memberarea/login/");
    exit;
}
[download]

anyone with an expired or non-existent SESSID is redirected to the login page.