A session is a set of data maintained on the Web server that is uniquely associated with a single Web browser instance (normally via a cookie setting) -- so the user can enter their password once (hopefully via https), transmit it to the server, and have the server keep it locally until the end of the session (explicit log out or default time out).

See CGI::Session for one implementation of the standard solution for this kind of problem.

#!/usr/bin/perl -w
use strict;

use Digest::MD5 qw(md5_hex md5_base64);

my $user = "User";
my $passwd = md5_hex("mypassword"); 
print $passwd,"\n"; 
print "<a href='login.pl?user=$user&passwd=$passwd'>all_names</a>\n";

my $storedPasswd = "mypassword";
my $digestStored = md5_hex($storedPasswd);

print "Passwd OK\n" if $digestStored eq $passwd;

The problem with this scheme is that, although you've hidden the password, you've made the MD5 of the password equivalent to the password for your application. For example, if I sniff or shoulder-surf a session from this user and see that they're using user=sgifford&passwd=MD5ENCODEDSTRING, then I can simply log on to your system by sending these same parameters, even though I don't know the password.

You really want to consider using sessions here, or just putting the username and password in hidden form fields to protect them from shoulder-surfing, and using SSL to protect them across the network.

Thanks, I think that using MD5 will do the trick.

I think what you really want is to use HTTP POST instead of HTTP GET, and then you won't be seeing the user and password in the browser. It doesn't, however, make it more secure.