Good post. The expires header requires a valid date if you output it yourself ie:
Expires: Fri, 30 Oct 1998 14:19:41 GMT
With CGI.pm however, a variety of options (including -'1d')are allowed when you pass values to it, presumably these are converted into a time in GMT - I have never bothered to check. If you send invalid date values in an HTTP expires header (ie 'now' or '0') it is interpreted as being in the past so has the desired effect anyway.