I think corion is right about using CGI::Session... but if you don't want to do that, and you insist on obfuscating the URI, you might consider treating the data as a path and using $cgi->path_info to extract the path past your CGI. (This only works in webservers that support it.)