It's been a while since I did this, but as far as I can recall, CGI::Session is CGI::Cookie-aware, so that specifically issuing a CGI::Cookie with an expiry date should make it DWIM.