I never stopped liking challenge-response systems that send a locally computed hash of (username,password) over the 'net instead of the password itself. The only difference is that I use SHA1 or one of the "new" hashing algorithms.

I've been playing with CGI::Session lately as well, and I mostly like it - though it was not immediately obvious to me how to enforce a session at the top of a page...I figured out a hacky approach, but I intend on changing it.

I hope that helps.