Grepping through our library of code I found a couple of examples, one's listed below. The authentication sequence for every CGI script sent the CGI query off to a module that did the validation and returned the authentication object:

my $q=new CGI;
.....
$token=valid_login($q)
redirect_to_login($q) unless $token;
[download]

During one of our programs we needed to masquerade as another user temporarily, so we created a fake CGI object complete with cookies in order to get something from the authentication object:

my $fakeq=new CGI;
$fakeq->{'.cookies'}->{ID1}=$cookieobj1;
$fakeq->{'.cookies'}->{ID2}=$cookieobj2;
.....
$ftokenobj=valid_login($fakeq)
die "Should not happen!" unless $ftokenobj;
[download]

Yes, yes we violated encapsulation by shoving in the cookies directly (couldn't think of a better way at the time) but it did what we wanted: we could re-use valid_login's code without having to alter the interface at all.