IMHO, you should explicitly call undef or untie on your session hash after every invocation of your script, to make sure Apache::Session will write the session info to the database. I think depending on this happening automagically is hit or miss at best.

Note that calling undef or untie will not remove the session record from the table, there is a delete method for that. Calling the delete method may be what you want in your logout handler.