My web application only has one level of authorization. It's either you're logged in or not. Would ACL be overkill for this? Would the Auth component be sufficient/secure enough to handle this situation?
Does CakePHP session anonymous users? If so, is there a way to turn that off? I don't think I need sessions to be passed around if the user is anonymous.
Short answer: Maybe. Long answer: seems that, for the case you explain, Auth should be enough (provided you also use Sanitize, but that's something you should also do if using ACL anyway).
As for the use of sessions, I don't think you have to worry about Cake using them for anonymous users, but I really haven't read the code. Anyway, I don't think that it will be easy to turn them off for non logged in users but leaving them on for logged in people.
The ACL component is only needed if you need to provide access to certain parts of the site to certain groups of users and not others. If you only need to know if someone is a user or not, Auth will have you covered.
By default, sessions are created for everyone. If you're not using them for anonymous users, it's okay to leave them turned on all the time because a) it's easier that way and b) the overhead of doing so is extremely minimal. If you decide to go ahead and turn them off when not used, you can set Session.start to false in app/config/core.php.
However, you will have to add code to start the session when a user is logged in. You may also experience issues with the Auth component. It makes use of the Session component and I believe it expects sessions to be started on every page load.
Using the Auth component is fine
Using the Sanitize library has nothing to do with this at all. Knowing Cake, if something needed sanitized in conjunction with the AuthComponent then that component will make use of Sanitize internally. You don't need to do anything with it yourself.
If you set up a User Model with id, username, password fields and simply include the Auth component in your AppController and set the component to allow the 'display' action ( for the homepage IE PagesController::display( 'home' ); ) that should get you started.
Googling or searching bakery.cakephp.org should turn you up some good Auth tutorials.