If you're already authenticating with HTTP authentication, I would stick with that rather than writing a bunch of state management stuff with cookies. This is all handled by the web server with HTTP auth, so I would see about protecting a subdirectory under /cgi-bin/ or reconfigure the server so that you can run your protected CGI scripts under the directory that you already have protected. I have never understood why sites insist on using all sorts of complex state management code and cookies with "authenticated" sessions when HTTP authentication will do all of this for them, giving the CGI script a nice friendly environment variable with the username. Plus you don't have to worry about invalidating URL's or having obfuscated keys showing up in access/referer logs for your server or sites you link to. It's all just a big headache, and unless you find a quality pre-written installation, it's not worth it. Stick with some form of HTTP authentication and you'll have much less headache. Of course, either mechanism, as another poster mentioned, is susceptible to monitoring by a 3rd party, which is why you'd want to use SSL if you're concerned about this. Unless you're trafficking sensitive data, I wouldn't worry.