Ah, I think this is an XY Problem. A session existing in no way means an authenticated or valid user. And the fact that a user can supply a cookie named CGISESSID should not allow them to appear as "signed-in."

I don't WANT want one to be created, I just want to check for the existence of one. If it doesn't exist, sendt the user to the login page.

Not really. What you want to do is check if the session is valid. So, long story short, you can do what you are trying to. It will be verbose however and it will not remove any of the code you'll have to do to check that the session is valid so it's probably pointless unless you've got a high traffic site and don't want to hit the DB with new empty sessions all the time.

If you do want to do it this is the flow-

• Use CGI::cookie() to read the cookie named "CGISESSID" or "YOUR_CUSTOM_NAME."
  • If it exists and has a reasonable value, try to load it from CGI::Session->load().
    • If it's valid, pass/send them along to /home or whatever (there can be many reasons it wouldn't be valid; wrong/new IP, DB says session is too old to still be valid, some other token of your devising doesn't match the last request for that session).
    • If it's not valid, send them to the login page.
  • If it doesn't exist, send them to the login page.

The thrust being, you have to create a session to validate one so the only benefit of not doing so is avoiding some overhead and if you have a 100% login access site anyway you won't be saving much. :)