I didn't find anything wrong with the run mode switching in CGI::Application, but I didn't do authentication through it.

You say in your intro, that you have two run modes, "login" and "login_submit", but later on, you mention a third run mode, which I would calll "login_retry". I would redirect the user from a failed login to the login_retry run mode, either internally (by changing the used template) or externally, by sending the correct location: redirect.