i have to concur w/the other two posters - if they're in a 'secure' area of your site - ya gotta go w/cookies.

some other thoughts re: cgi-security -

1) cgi-bin shouldn't be in your document-root (this'll deter ppl browsing to it, like you said were happening)

2) change your request method in your script and form to POST. Get requests come appended to a query_string and in basically plain text (anyone lookin' over your visitor's shoulder could read their password in the link) - whereas POST requests come url-encoded via standard-input (STDIN). Also - POST requests aren't cached - which'll deter someone from using the back-button to access those files again. (If someone new were to hop onto the pc.)

i'd also consider lookin' into some encryption (ssl, pgp or even crypt() w/generating or comparing passwords), if the visitor's info is sensitive (financial-related, etc). Ya don't want anyone stealing your customers' info - bad business

Just some thoughts ;-)

ps: ty swngnmonk - i actually needed a couple of those docs ya posted :-)