I guess im trying to never store the users password in either the file or in the cookie.

That is usually accomplished by only storing a one way hash of the password. This is how the Unix passwd/shadow file stores passwords. You can check to see if a supplied password is valid by hashing it again and comparing it against what is stored.

if (crypt($password, $storedpwd) ne $storedpwd) {
  die "Sorry...\n";
} else {
  print "ok\n";
}
[download]

You mentioned that you don't want to use external modules, so I showed an example using the built in 'crypt' function (see 'perldoc -f crypt' for more info), but it would be more secure to use SHA1 or MD5 hashes.

- Cees