Your second idea is the one to go for. Whether or not the URL is handled by Perl or is a static page or even by something else, it doesn't matter to the Auth(z|en) handler, just the cookie and/or the URL as entered by the user is all you need.

A large site I'm working on allows anyone, registered or not, to view any page. However, if you're logged in you see potentially different content, and even further, depending on the level of access granted the content will be even further tailored.

All handled through the magic that is mod_perl and HTML::Mason.

There's definitely no call for constantly re-starting a mod_perl enabled Apache webserver just because you've added a new directory dynamically. All you need to do is build a small form for an administrator to set paths/access levels, store it in a database for use within your Auth handlers.