What's the problem with simple cookie-based auth? All the big sites work that way, and the existing modules like Apache::AuthTicket make it easy. If you need CGI compatibility, use one of the CGI::Application plugins.