the method I have used a number of times for security handling
is a combination of cookies and password/identifiers. It is not
by any means industrial strength protection...
- User logs in via CGI validation
- if validated, CGI encrypts secret info,
stores encrypted string in cookie, also save other non-scure
stuff in clear unencrypted cookies, like an ID.
- every time user hits site, CGI nabs id and encrypted cookie,
uses ID to get secret info (local source, user flat file, database, whatever), encrypts secret info (using same salt used in
first encryption). compares new encrypted string against cookie version.
- if two encrypted strings match, user is allowed in, else bounce to login screen
SSL would make all of the above much safer as the initial login would not
be in the clear.
good luck!