I’m not gonna describe how to make HTML form and how to parse input data from html. I leave these as you your homework ;). As storage for HTTP sessions I chose database(specifically MYSQL).

Here is my table with sessions :

desc mc_sessions;
+-----------------+--------------+------+-----+---------+-------+
| Field           | Type         | Null | Key | Default | Extra |
+-----------------+--------------+------+-----+---------+-------+
| user_name       | varchar(50)  | YES  |     | NULL    |       |
| session_id      | varchar(255) | NO   | PRI | NULL    |       |
| expiration_time | int(11)      | YES  |     | NULL    |       |
+-----------------+--------------+------+-----+---------+-------+

use CGI qw/:standard/;
use CGI::Cookie;

sub set_cookies {.
    my ($db,$user_name,$user_passwd) = @_;

    my $exp_time = time() + 259200; #(3 days)
    my $session_id = md5_hex($user_id.''.$user_name.''.$user_passwd.''.$exp_time);

    my $sth = $dbh->prepare("INSERT INTO $table (user_name,session_id,expiration_time) VALUES (?,?,?)");
    $sth->execute($user_name,$session_id,$exp_time);

    my $cookie1 = new CGI::Cookie(-name=>'SessionID',-value=>"$session_id");
    my $cookie2 = new CGI::Cookie(-name=>'ExpirationTime',-value=>"$exp_time");

    print header(-cookie=>[$cookie1,$cookie2]);

    return 1;
}

sub check_auth {
    my ($dbh) = @_;

    my %cookies = fetch CGI::Cookie;
    my %cook_hash;

    foreach my $key (sort keys %cookies) {
        $cookies{$key} =~ /=(.*);/;
        $cook_hash{$key} = $1;
    }

    return -1 if (!defined($cook_hash{SessionID}));

    my $user_name = is_session_valid($dbh,$cook_hash{SessionID});

    return -1 if ($user_name == -1);

    return $user_name;
}

sub is_session_valid {
    my ($dbh,$session_id) = @_;

    my ($exp_time);

    my $sth = $dbh->prepare("SELECT * FROM sessions WHERE session_id=? and expiration_time > ?");
    $sth->execute($session_id,time());

    while ( my @array = $sth->fetchrow_array ) {
            ($user_name,$session_id,$exp_time) = @array;
    }

    return $user_name if (defined($user_name) and $exp_time > time());

    return -1;
}

As result we have 3 functions.

1. set_cookies – this function generate, put in database and send cookies to user’s browser.
2. check_auth – check if user has already have some cookies from server if yes call is_session_valid for future checking.
3. is_session_valid – look about user’s  session id  and check whether this session was expired or not.

Pay attention:

Each function receives variable $dbh it’s database connection identificator and should be created before function run.

How does it use?

Edit you CGI code. And take care that all pages checks sessions id.
Put this function call after authorization by password to send cookies to user:

set_cookies($dbh,$username,$password);

And these in all remains site’s pages to prevent site from unauthorized actions:

my $user_name = check_auth($dbh);

if ( $user_id == -1 ) {
        some action[s]
}