here's what i usually do:
after authentication, i send the user a cookie with the sessionid, and log that in my DB. every time the user clicks somewhere, i look up that sessionid in my db, check whether that session "timed out". if the session's still alive, i set my "lastaction" column to time().
oh, yea - i also log the $ENV{'REMOTE_ADDRESS'}, just in case somebody steals the cookie (i know - IPs can be faked, but it ain't THAT easy).
sometimes, i Storable::freeze and Storable::thaw some session-data into my DB, too (can come in quite handy).
i know this is kinda re-inventing the wheel, but it's a small wheel, and i personally like knowing everything about my session-managment, so that i can do whatever i please with it anytime.
speaking of security: what's the most secure way to handle sessions? how do banks do it? is there another way?