One potential problem is that $session is used inside not_called(), but it is not passed into that function - meaning it is using the one from the outer scope.

If you are running in a mod_perl environment and using Apache::Registry this would cause a problem with accidental closures.

Basically the not_called becomes an inner sub which holds a reference to $session, and that reference persists for the lifetime of that apache instance. CGI::Session automatically flushes its content to disk (or db, depending on config) when DESTROY is called - which in this case would never happen.