Don't know anything about threaded, but you could just make a plain old forking server based on HTTP::Daemon. You can then restrict access by checking the peer address, as H:D is an instance of IO::Socket::INET.

You could create a session id (url?id=12345) and append it to URLs. Reject requests without the ID.

You can generate cookies from one of the CGI packages. Just stick them in the HTTP::Response and send it. Pull them out of the headers.