I think a good, relatively easy, security model to implement is this:

• Store user and password info in a database. Be sure to encrypt the password. If you're using mySQL, the password() function can do this for you.
• Have the user login. Check the password against the info in the database.
• Assuming login success, set a md5 encrypted cookie and store the cookie in a "valid users" table server-side. Use some kind of random, hard-to-guess info in the md5 cookie, like localtime() plus a random number and some random text. One other thing is to not set an expiration time on the cookie, so that it expires when the user closes the browser session. This will require a login each time someone wants to access an admin feature.
• Because you have the cookie stored in a database, you can use this to authenticate across multiple scripts. You should also clear the stored cookies out of the database every day or so.
• The biggest hole here is probably sending password/user info plain text via the WWW. Use SSL for the login page.
• You can also have admin functions built into the same scripts used by non-admin folks, by denying functions to folks without a valid cookie in your database. This is a big strength of this system, your security isn't an "all or nothing" proposition.
• There's a bunch of assumptions I'm making here- that you're using strict, untainting data properly, and have read all the great links the other monks have provided in this thread. This is the "devil in the details."

Make sure to take the time to learn CGI.pm for handling your cookies and other functions, you'll be glad you did.

While this system isn't perfect, it should work for a moderately secure app. I wouldn't trust it with anything that handles credit cards or the like, but it should work well for anything below that.