<form name = "login" action = "loginpage.cgi " method = "GET">

Just another side remark.  It's generally better to use the POST method to submit forms that are transmitting sensitive information like passwords etc.  With POST, the info will not be part of the URL (such as loginpage.cgi?username=ken&password=secret&...), as it's the case when using GET, thus reducing the likelihood that passwords will end up in logfiles of webservers, proxies, etc... (yes, I've noticed you're using cache_control, but those directives are more of an advisory nature, ultimately).

It's bad enough already that (with HTTP) the entire traffic goes over the wire in the clear anyway, but you certainly don't want passwords to be stored persistently in logfiles... for the unsuspecting admin to stumble across inadvertently :) — remember that people often use the same password in multiple places, so knowing one might compromise more than this immediate web resource.