The way that almost all commercial-grade application servers do it is to create a unique string (e.g., based on a call to crypt() of a combination of the return value from time() and the user's IP address) and associate it with the user by an entry in, say, the session table in the database.

Then that session string is attached either via a CGI parameter or a cookie. Forcing users to accept cookies is so common these days that you really won't lose traffic by storing the session information in a cookie.

Since there is no private information stored in the session string, it really doesn't matter whether you use CGI parameters or cookies.

Certainly avoid at all costs putting user information such as user name or password in CGI parameters. It's about as flagrant a security hole as there is. Might as well just put all the user names and passwords on the login page for reference.

Hope this helps,

-Me