In general, yes. However, if the only thing in the directory is your application's .cgi, you have the option of protecting it with a .htaccess, or via application logic (e.g., a cookie-based login scheme). merlyn has a column that covers the basics of using cookies for login.

A scheme based on .htaccess (or the equivalent in IIS) has the virtue of being relatively easy to set up, though you do have to jump through setuid hoops update passwords via the web.

An application-level scheme has the virtue of flexibility. It allows you to easily set up an n>1 level permission scheme for your users (e.g., distinguishing normal users from admins) without having to spread your application across multiple directories.

Either scheme is vaguely secure. Both will fail if someone is sniffing packets, since both send passwords in the clear.