All good comments (except for the part about saving passwords in cookies! Bad coder! No donut!), but I'll add in some comments that some folks have not yet made.

Given the choice of a hashing algorithm, please advice new folks to use the strongest available... this means SHA1 over MD5, and MD5 over crypt. Better SHA is also an option ... look at CPAN for modules available. Might as well be paranoid. "YourFavoriteHashingAlgorithm" certaintly doesn't mean you can roll your own, at least not if you have any ethics -- it's far too easy to make a weak function.

You say 'most likely will give a unique ID', but you (in the case of dealing with Credit Cards, especially) might have an obligation to make sure they ARE unique. Good security is based on good math, not chance. One of the failings of random number generators is that they are not unique, so again, it never hurts to be paranoid.

Perhaps obvious, but when possible, use SSL. This not only encrypts the session from basic packet sniffing, but (when using certs), can tip someone off to a man-in-the-middle type attack, where you could be tricked into authenticating to a server that wasn't really the server you were connecting to.