The sites that suggest not putting the username or userid as a cookie -- how else am I supposed to figure out whether a user is logged in or not? Is there any other way?
Well one way is to use sessions. A good way to find out about them and how they work is the CGI::Session::Tutorial.