I'm not exactly sure what your problem is, but I do have a couple of things to point out.

• CGI::Session::header automatically sends the CGISESSID cookie for you, so you don't have to get the cookie and send it yourself.
• Where has $session been defined in this part of code: print Dumper($logged_in, $session->param('user'));? How can you expect that $session object to have the changes you made in write_session? I would think that if you've created a session object, then created a new, lexically scoped session object within your subroutine, that upon return, the first object would not contain the updates that you made.
• Would it make more sense to pass $session to write_session, rather than creating a new one?