This page should be secure, i.e. they should only be able to get to it thru the login page

How secure do you want to be? Even if you have a login page, user name and password will be sent as plain text over the network. So, there is always a possibilty that someone will get them. One way of making that significantly harder for people to do is by using HTTPS. You can refer to your web server documentation on how to set up HTTPS.

how do I prevent a user from typing "http://website.com/cgi-bin/test.pl" right in his browser address bar

Every time a user logs in, create a unique session ID and then pass it on throughout the site as one of the parameters; e.g., file.cgi?sid=foobar
Once you are able to do that, then, inside of your file.cgi script, you can check if "sid" is present and valid (not expired). If it doesn't exist or not valid then you can redirect the user to some other page.

Hope this helps.

--perlplexer