Under normal circumstances, $ENV{REMOTE_USER} is something that the user's client (browser) may or may not send; any decent one (i.e. one your users will actually use) will re-send the user name on each request after clearing HTTP Basic authentication, as per RFC (i.e. it's a standardized mechanism). I don't know how to implement Basic auth in IIS, but I'm certain it's relatively easy.

If you can't use Basic Auth, I'd suggest you look into storing session data on the server. This can range from using a flat file to using a database management system (like MySQL or PostgreSQL).

Of course you'll need some way of identifying a request as belonging to a session, so you'll need to maintain state; the easiest way to do this is (IMO) with cookies (see CGI::Cookie, for example or with some kind of URL-mangling. But look first at using Basic Auth.

perl -e 'print "How sweet does a rose smell? "; chomp ($n = <STDIN>); 
+$rose = "smells sweet to degree $n"; *other_name = *rose; print "$oth
+er_name\n"'
[download]