I didn't actually run the code, but a quick review shows some suspicious lines:

### Grab SID and determine session_status
my $sid = $session->id();
my $session_status    = "false";
$session_status    = $session->param("user_logged_in");
[download]

So, if the session does not contain a paraneter user_logged_in, you are overwriting the value "false" with undef.

### Grab SID and determine session_status
my $sid = $session->id();
my $session_status = $session->param("user_logged_in") // "false";
[download]

Later in the code (though not at line 89) you do the comparison which triggers the warning:

if ($session_status eq 'true')

Most probably that warning also causes the IIS to complain. IIS is expecting your response to start with a header, but gets a timestamp from the warning instead. The timestamp, starting with a [ character, is what you get from using CGI::Carp.

That said, I guess you are aware that this program looks more like 20th-century legacy than current best practice for a web application. We love Perl just because it is so simple to whip something up which will run for decades without a change, but still... given that the internet is no longer the same friendly place which it was 20 years ago, a bit of general refurbishment wouln't hurt.