in reply to Some questions about CGI::Session
There should be a file for each session. Sessions are not dependent upon a user being logged in or not. Usually, someone visits the page (calls your cgi program), and session is created. Unless you do cleanup, the session will hang around forever.
So, question one, how sustainable is this?
Well, file system limits are very real, too many files, and enumerating files (readdir) slows down noticably, its one of the reasons CPAN uses the id/A/AU/AUTHOR scheme (git uses a similar scheme).
You can adopt this scheme by subclassing CGI::Session::Driver::file and splitting directories based on sessionid (and while you're at it, you can omit cgisess_ as a filename prefix).
Could I do this somehow without forcing all users to log in again?
You're a programmer aren't you? :D