Is it me, or is the documentation for CGI::Session severely misleading?

It's not just you, though at the moment, I can't judge if it is misleading

The latest version, which is what I read, says http://search.cpan.org/~markstos/CGI-Session-4.48/lib/CGI/Session.pm#new%28%29

If called without any arguments, $dsn defaults to driver:file;serializer:default;id:md5, $query||$sid defaults to CGI->new(), and \%dsn_args defaults to undef.

That isn't strictly true as it defaults to CGI->new whenever the second argument is undef

At the moment, I've no idea how that could be improved :) patches welcome

However, you probably would not have run into this if you weren't implementing your own login logic error :) as "Basic cookie management " teaches , you set one cookie per browser ( brand-the-browser , associate sessionid with browser)

Later, for login, you update some session data (username, login status )

Later, for logout, you delete the entire session, and delete the cookie

Or you could even, Later, for logout, keep the cookie (and session alive), but delete some session data (delete username, login status )...