I use to have an Object for a user storing these "credentials". It's created at startup of the program, the applications is called with a CGI object and that User.

For this kind of session I always use Cookies, it's not generally insecure to store something in a cookie. It should not be the plain password, but have a look at your perlmonks cookie. In fact, that's the sense of cookies, that's their job.

If you use Apache, you can also use WWW-Auth, so the Browser holds the session and Apache will verify users and passwords for you, so the script only checks $ENV{REMOTE_USER}.

It's an intranet thing, so the Cookie thing is (imho) allright.

--
http://fruiture.de