Where I work, we use cookies; each Perl CGI program in the suite checks the cookie as its first responsibility, using code from a common in-house module. We do this because:
- We need logout (as varian described).
- We need auto-logout. The cookie contains a time-stamp, and each new screen (in the group of Perl CGI that has access to restricted information) checks that the time-stamp is within the last 5 minutes, then refreshes the timestamp.
- Parts of our system are on multiple servers, and we need login to work across them.
- Different users have permission to change different things. Some can just see the page, others can enter information, still others are allowed to sign and finalize a report. The cookie contains the permissions that indicated who can do what. (We only do this for browsers on trusted machines, inside our firewall and at specific IP addresses.)