One way would be to store some session data using CGI::Session before forwarding the user to bar.cgi (which basically says "This user is being forwarded to bar.cgi from foo.cgi"), and then read that data using CGI::Session in bar.cgi. If, in bar.cgi, the data is not present or invalid, deny the request.