How would you implement FORM based authentication without a backing database?

A few ways you could do this.

1. htaccess -- have your webserver handle securing the pages in question (not exactly cgi form based though).
2. Use cookies and some sort of hashing algorithm (md5 is good enough) to store the passwords in a flat file where each line in the file is username:passwordhash. Make sure to salt your hashes for extra security vs rainbow tables. (This method is a bit naive... be very careful with security if you go this route)
3. use something like a sqlite database just to handle authentication. Sqlite is compact and simple enough that it may still meet your needs even if you don't want a big db backend.

Theoretically, you could also store session data in a flat file, even if you can't have a database.