Thanks for your reply - it's taken me a while to get back to this code, but I need to get it finished soon!
As you suggested, I got rid of $cookie altogether, now I'm just using

$session->header();

- however things don't seem to have changed.
I realise the point you're making regard the CGI::Session->load(), in fact the sessions aren't passed at all, they aren't expired, but empty!
I tried $session->param('user_name'), but get no result. I think my code's not finding the CGISESSID server-side file that is being created. I tried

$session = CGI::Session->load(undef, undef, {Directory=>'./tmp'}) or die CGI::Session->errstr();

(i.e. using the CGI::Session->new parameters with load, to try and point it to the correct directory), but this doesn't seem to find the files either.
Can anyone see something wrong in my code? I hope it's clear what I've done... otherwise just ask - would seriously appreciate any help!
Thanks!