use Apache::Session::File;
use CGI::Cookie;

use constant TIMEOUT     => 60 * 60 * 2;  # 2 hours
use constant COOKIE_NAME => 'MY_COOKIE';
use constant BASE_URL    => '/';

# Get the ID from the cookie (if one was set)
my $raw_cookie = $r->header_in('Cookie') || "";
my %cookies = parse CGI::Cookie($cookie);
my $id = $cookies{COOKIE_NAME};

# Get the session object from disk
my %session;
tie %session, 'Apache::Session::File, $id, {
    Directory     => '/tmp/state',
    LockDirectory => '/tmp/state',
};

# Set the cookie back if it was new
if (not defined $id) {
    my $new_cookie =
        new CGI::Cookie(-name  => COOKIE_NAME,
                        -value => $session->{_session_id},
		        -path  => BASE_URL,
		        );
    $r->err_header_out('Set-Cookie' => $new_cookie);
}

# Now just read and write things to the session object
# and they will get saved.  You have to be careful about
# any references though.  See the docs for details.

# Check to make sure the session is valid
my $cur_time = time;
unless (defined $session{last_access} and
        $session{last_access} < time - TIMEOUT and
	defined $session{valid} and
	$session{valid} == 1)
{
   # Illegal access, bump to the login page
   # It must make the session valid by setting the 
   # last_access and valid fields.
}
$session{last_access} = $cur_time;