The quick-n-dirty answer would be to read up on apache .htaccess files.

The better answer is to read up on Cookies and the PerlAccessHandler directive in Apache. When Apache processes a URL request, that request goes through several phases, one of which is ("Is this user allowed to view this URL?"). By writing your own PerlAccessHandler, you can protect your site against users who aren't logged in.

A quick example (I'll try to minimize the errors :)

package MyAccessHandler;

use strict;
use warnings;

use Apache::Request;
use Apache::Cookie;
use Apache;

sub handler {

  my $r = shift;

  my $url = $r->hostname . $r->uri();
  my $file_path =  $r->parsed_uri()->unparse();

  # do not protect login page.
  return Apache::OK if $file_path=~ /login\.html$/;

  my $can_access = 0;

  ## If the user has a cookie, see if user has access.
  my $cookie = eval{
     ({Apache::Cookie->new($r)->parse()}->{cookie}->value) 
  };

  if ($cookie) {
     $can_access = MyValidationRoutine($cookie);
  }

  # return OK if they're allowed     
  return Apache::OK if ($can_access);

  # otherwise, redirect
  $r->internal_redirect('/login.html');
  return Apache::Constants::DONE();

}
[download]

Things to read up on: Apache::Request, Apache::Cookie. O'Reilly's "Apache Modules with C and Perl" is a good resource as well, though it's a little out of date and written for Apache 1.3.x, not 2.0.x. Is there a good Apache 2.0.x book out there?

Side note - this was written for Apache 1.3.x - I know things have changed in 2.0.x, but the same general idea applies.