Another gotcha that's worth investigating - if /home/foo/public_html/mumble has .htaccess in it, but your script runs under a ScriptAlias (from /home/foo/cgi-bin for example) then it won't need or send the REMOTE_USER details. Try (from a freshly opened browser) going straight to the scripts URL and see if it asks for authentication - if it doesn't, then it's not protected by the scheme that protects the form that leads to it.

the hatter