Don't put the username/password combo in the cookie, encrypted or not. Instead, on the intial login, get their username/password and do the authentication. Once authenticated, put their username in a database paried with a unique session ID (I usually use Data::UUID for that) and send the session ID in the cookie. On subsequent entries, you check the session ID against your database. Keep another script in a crontab that deletes old session IDs from the database.
There are various authentication modules in the Apache:: namespace, but most of them only work if you're running mod_perl on Apache.
----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer
Note: All code is untested, unless otherwise stated