$D = {'_SESSION_ID' => 'ff98369e0e3ef653f90301cc6fbf29a6','_SESSION_ET
+IME' => 900,'_SESSION_REMOTE_ADDR' => '192.168.x.x','_SESSION_CTIME' 
+=> 1232014477,'_SESSION_ATIME' => 1232014492,'_SESSION_EXPIRE_LIST' =
+> {}};;$D
[download]

From looking at CGI::Session::load, this looks valid and your sessions shouldn't expire:

    # checking for expiration ticker
    if ( $self->{_DATA}->{_SESSION_ETIME} ) {
        if ( ($self->{_DATA}->{_SESSION_ATIME} + $self->{_DATA}->{_SES
+SION_ETIME}) <= time() ) {
            $self->_set_status( STATUS_EXPIRED |    # <-- so client ca
+n detect expired sessions
                                STATUS_DELETED );   # <-- session shou
+ld be removed from database
            $self->flush();                         # <-- flush() will
+ do the actual removal!
            return $self;
        }
    }
[download]

This is largely the only mention of STATUS_EXPIRED. So, you will need to post a self-contained example that fails, and then likely report this as a bug. Or maybe your check for whether a session is expired is wrong, or you have two machines which create/check sessions and their system clocks are at least 15 minutes apart.

Oh well, even if the manual says:
  Note: all the expiration times are relative to session's last access time, not to its creation time. To expire a session immediately, call delete(). To expire a specific session parameter immediately, call clear($name).

... it really wasn't quite like that for me. Maybe a bug ;P
Anyway, I got it working by expiring a parameter; this way the session is stil valid but the parameter expires and you can call login if $s->param('login_param') is not set. When calling login one can do a $s->delete() and $s->flush() to clean the session database.