Uh oh. You said:

I'm pretty ignorant abt security, so please don't refrain from telling me something because you think I'll already know it

First rule is to keep it simple. Then the security is easy to evaluate. If you don't understand whether doing something will make it more secure, then don't do it. Because it probably won't.

That said...

Read up on security before you implement any algorithms, protocols, etc. Otherwise you'll make some glaring holes amidst all the hoopes you jump through. A good start for crypto and protocols is Applied Cryptography by Bruce Schneier. But that's only a start..... search the web for articles on CGI and security. There are plenty.

In the meatime, look at what other people implementing similar applications have done, and if there is any code available that has been around for a while, evaluated/tested/hacked enough that the "community" has a reasonable amount of confidence in it's security.