Expanded, that 1st line is showing that you are receiving the user's name as input from an HTML form. So...

my $user = $query->param('username');

You can keep this in a hidden field in the form.

$query

is an arbitrary, but oftused name for the CGI session variable. Read all about it in the CGI docs.

$stillloggedin

...simply represents what redirection you would use if the user is found in the cookie, indicating their cookie has not timed out and that they are still logged in. Otherwise (&loggin), take them to an HTML form where they have to re-log-in.

Update: Check out Ovid's CGI course, as well the CGI Tutorials here in the Monastery. Super Searching will find enough on the topic to choke a horse. Also, bear in mind, what I have presented is a very simple solution. It is not secure (though the username is less important this way than the password—another huge topic among monks). There are more complicated scenarios using a database, in combination with cookies, to track who's logged in, etc. Cookies are not always enabled, so database methods might be invoked, and beyond the scope of this thread. (Update 2: fixed typos in my first Update—where's Preview when you need it :^)