This module provides the Apache/mod_perl user with a mechanism for storing persistent user data in a global hash, which is independent of the underlying storage mechanism. Currently you can choose from these storage mechanisms Apache:ession:BI, Apache:ession::Win32, Apache:ession::File, Apache:ession::IPC. Read the man page of the mechanism you want to use for a complete reference.

Apache:ession provides persistence to a data structure. The data structure has an ID number, and you can retrieve it by using the ID number. In the case of Apache, you would store the ID number in a cookie or the URL to associate it with one browser, but the method of dealing with the ID is completely up to you. The flow of things is generally:
Tie a session to Apache:ession.
Get the ID number.
Store the ID number in a cookie.
End of Request 1.

(time passes)

Get the cookie.
Restore your hash using the ID number in the cookie.
Use whatever data you put in the hash.
End of Request 2.

Using Apache:ession is easy: simply tie a hash to the session object, stick any data structure into the hash, and the data you put in automatically persists until the next invocation. Here is an example which uses cookies to track the user's session.
# pull in the required packages
use Apache:ession:BI;
use Apache;

use strict;

# read in the cookie if this is an old session
my $r = Apache->request;
my $cookie = $r->header_in('Cookie');
$cookie =~ s/SESSION_ID=(\w*)/$1/;

# create a session object based on the cookie we got from the
# browser, or a new session if we got no cookie
my %session;
tie %session, 'Apache:ession:BI', $cookie,
{DataSource => 'dbi:mysql:sessions',
UserName => $db_user,
Password => $db_pass
};

# might be a new session, so lets give them their cookie back
my $session_cookie = "SESSION_ID=$session{_session_id};";
$r->header_out("Set-Cookie" => $session_cookie);

After setting this up, you can stick anything you want into %session (except file handles and code references and using _session_id), and it will still be there when the user invokes the next page.

It is possible to write an Apache authentication handler using Apache:ession. You can put your authentication token into the session. When a user invokes a page, you open their session, check to see if they have a valid token, and authenticate or forbid based on that.

By way of comparison note that IIS's sessions are only valid on the same web server as the one that issued the session. Apache:ession's session objects can be shared amongst a farm of many machines running different operating systems, including even Win32. IIS stores session information in RAM. Apache:ession stores sessions in databases, file systems, or RAM. IIS's sessions are only good for storing scalars or arrays. Apache:ession's sessions allow you to store arbitrarily complex objects. IIS sets up the session and automatically tracks it for you. With Apache:ession, you setup and track the session yourself. IIS is proprietary. Apache:ession is open-source. Apache:ession:BI can issue 400+ session requests per second on light Celeron 300A running Linux. IIS?

An alternative to Apache:ession is Apache::ASP, which has session tracking abilities. HTML::Embperl hooks into Apache:ession for you.