I'd also suggest the idea of starting at CPAN and looking for existing modules to start with. You say that you need to force users to re-authenticate after 15 minutes, so I'd start by looking for an Apache module that will take care of the authentication that you want to do, e.g. Apache::AuthDBI or Apache::AuthCookie, etc. If you can get an existing perl module to take care of this, it should be fairly easy to hack in a timestamping like you want, and it should be trivial to hack in the exemption of certain directories. I've done some hacking on Apache::AuthDBI myself to get it to work in a specific environment, and it was much, much faster than anything I could have come up with from scratch. Good luck!