Three thoughts:

First, merlyn has an article on basic cookie management that you might find useful.

Next, are you doing this over https:? If not,   -secure => 1 isn't what you want.

Lastly, you might get more mileage out of creating a CGI instance early in the script. E.g.,

  my $cgi = new CGI();
  if ( $cgi->cookie('user') { ... }
[download]