|Do you know where your variables are?|
Using CGI to authenticate users is no less secure than using basic HTTP authentication, credentials are passed as plain text in both cases.
I don't claim to be an expert in anything. Thus I don't believe I would be able to do a CGI authentication routine better than the Apache programmers.
Summing up, my reply meant: are you sure you are able to do with a CGI a better job than apache does?
Many people could. I wouldn't. And I don't recommend to others what I wouldn't do myself.
About SSL and mod_perl, I preferred not to cite them. I preferred to focus on the intrinsic weaknesses of a self-made CGI authentication against an (already weak) basic authentication.
I subscribe your opinion on SSL and mod_perl, with a preference for SSL for the same reasons as before: personally I don't think I would be able to do with a self-made mod_perl handler a job better than SSL.