It would be helpful to know if you're using mod_perl, since that could, conceivably, do some crazy stuff with %ENV. Or, of course, it could just be missing because the page isn't protected using that particular method, like Kanji suggested. Check your .htaccess or httpd.conf, or whatever you use to do this thing, presumably using a variation on Limit:

<Limit GET POST>
     Require valid-user
</Limit>
[download]

Anyway, what about using CGI.pm?

my $cgi = CGI->new();

my $remote_user = $cgi->remote_user();
[download]

If you are in a mod_perl environment, then it's a bit different:

my $r = Apache->request();

my $remote_user = $r->connection->user();
[download]

I think CGI.pm really digs around to get any required dirt on what REMOTE_USER might be. It's worth a shot.