I haven't studied the source of Apache::Session, but if your store is MySQL I think you can add a timestamp in the record which gets automatically updated with the current time everytime you update the record (just reading the record would not update it). Deleting "old" sessions then is easy and you don't have to unserialize the session-data to do so.