Without CGI::Session you have

• a readable password file (apache user must read it)
• a readable password in the cookies - anybody on the packet path can read it with a sniffer

With CGI::Session you at least avoid the second part. And if you have readable passwords in one place, one more place won't make that much of a difference.

No matter how you slice it, your apache process must be able to read the passwords to verify them. And it must be able to read your script. So even if you encrypt your passwords to protect them, the bad guys can just read your script, and use that to decypt the passwords.

Face it: you can't secure passwords on a server where other people have root. Root, if no-one else, can read everything.

You have to make a weighted decision: are your passwords valuable? If they are, get your own server, and be the only one with root. If they aren't worth the cost of a separate server, perhaps no-one will bother getting an account on that exact shared server just to steal your passwords.

Just one caveat (I know it's not what you're asking, but it's worth mentioning): Do not ever accept credit cards (or Ghu forbid store credit card info) on a shared server. Because that is just asking for trouble.

Get your own server, or have the CC transactions handled by a merchant service, but if you're on a shared server, don't do it yourself.