I don't get an unauthorized error. So the system still knows that I am in .htpasswd

That isn't necessarily true: Apache (and presumably other web servers) allow you to limit authentication to a particular group of HTTP methods, and accessing the same URL with a method not in that group will bypass authentication entirely (so no unauthorized errors) and leave $ENV{'REMOTE_USER'} unset.

However, you don't say how you're submitting your form, but if it is via POST (so that the form input doesn't appear in the URL after you submit) then I'd suggest taking a look at your configuration first to ensure you're also protecting GET requests (which a normal link would be).

    --k.