I personally use Apache2, with Mason, and mod_perl2, while mod_perl2 is only in dev it seems to perform just as well now as mod_perl.

My login script consists of a simple sql lookup on a users table. If found, I create a new session using Apache::Sesssion::Postgres and then set a cookie such that its value is the session's id.

Then in an autohandler in a folder named /auth_required/ or the like, I check for a cookie using Apache2::Cookie and then I check the cookie's value $cookie->value to make sure the value or session id does exist in my session table (you create this to use anthing Apache::Session::*). If all is there I move on.

I save the session to a global variable $S, and the user data to a global variable $U to eliminate the need to pass it explicitly to other mason components.