Why can't you use something like HTTP authentication? Passing usernames and passwords around in URL's and form fields seems kind of messy.

Update: Perhaps I should elaborate in light of the number of negative votes this post is aquiring: Since you say you have control over the CGI, I assume that extends to development. Passing passwords via URL strings like this not only allows prying eyes to see quite clearly what's going on, but it allows anyone peeking at your web server's access logs to gleam usernames and passwords as well. Putting this information in HTML hidden form fields is only marginally better. Using SSL is a bit better than that, but you've still got to code in an entire authentication mechanism with your CGI. Instead of doing all of this, why don't you consider using HTTP authentication, which is built in to most any real web server, and would allow your browser and server to do the job of authenticating, allowing your script to comfortably assume $ENV{HTTP_USER} is, in fact, the user currently logged in. This is considerably safer and easier than trying to build and manage an authentication system in CGI, especially if you're going to take the road to obfuscation to keep the data as 'secure' as you can.