One thing at least is wrong; you're generating a new session for each request (i.e. you're losing the old session, if there is one). You need to check if the session id is available, and get that session if so. Otherwise, create a new (empty) session.

Also, when you've created a new session, you need to make sure the client re-uses the newly created session id in the following requests. The easiest way to do that, is probably to use cookies. See CGI::Session's header() method.

The CGI::Session main manual page is a bit short on details, You'll probably want to take a look at CGI::Session::Tutorial