Yes, the first thing I do on every page is check for the cookie and redirect as necessary. Eventually, I will be moving that check to a handler which will run before the request is even passed to the application.

In case you're wondering, I cannot (currently) use Apache/mod_perl's standard authentication using .htpasswd or some digest because I'm in the processing of porting an application and some older sections of the app use a rather insecure method of authentication. Once the whole mess is ported, I'll be able to move the authentication process out of the application database and into some sort of MD5digest (or the like). (I'll also be able to do sessions, but that's another story.)