I just want to point out *why* that doesn't work.

If a URI is using basic authentication the server will challenge the browser with 401 if it does not receive a valid user/pass combo with the request, ad infinitum. Once a valid user/pass is provided, the browser will transparently feed the server that user/pass for every URI below the protected one. Therefore, your environment variables are being set by the server, because the browser is providing it. Furthermore, you're changing an environment value in a child and expecting it to apply to all children, which it clearly won't.

--
I'm not belgian but I play one on TV.