I use CGI::Session, it has various backends (DB_File,
plain files,
MySQL,
PostgreSQL) and can be used with cookies or hidden form fields; it has also a little Cook book. I use it in conjunction with CGI::Application, see CGI::Application::Session for an example of use.
There are many nodes about this topic, use Super Search to find them... update: Tired of session/cookie problem, Secure Session Management, Tips for Using Apache::Session, Cleaning up sessions created by Apache::Session::File when logging out of a CGI application, non-cookie session maintenance, CGI::Application CGI::Session problem, practical aspects of sessions and state, CGI::Session::MySQL, CGI::Application::Session - A stateful extension to CGI::Application.