Just a quick comment about sessions - you don't have to use cookies to use sessions. You can pass the session key around in the URL, or in a hidden variable (as long as the user only navigates via form submit buttons). As long as your session key is reasonably random, people won't be able to just hit the CGI with a made-up, but valid, key. Then, the CGI that requires a valid login can check the session file (kept on the server) and see if it exists, and corresponds to a logged in user.