in reply to Apache module starting points

I'd also suggest the idea of starting at CPAN and looking for existing modules to start with. You say that you need to force users to re-authenticate after 15 minutes, so I'd start by looking for an Apache module that will take care of the authentication that you want to do, e.g. Apache::AuthDBI or Apache::AuthCookie, etc. If you can get an existing perl module to take care of this, it should be fairly easy to hack in a timestamping like you want, and it should be trivial to hack in the exemption of certain directories. I've done some hacking on Apache::AuthDBI myself to get it to work in a specific environment, and it was much, much faster than anything I could have come up with from scratch. Good luck!