This is a shot in the dark, but I've been spending plenty of time trying to analyze an identical problem with access control when changing from modperl 1 to modperl 2

If a user is passed on with a Location: header with a reference to a local file, Apache 2, in contrary to the 1-generation, locates the file and passes it to the user without making it a new request. Meaning that your ModPerl access control handlers are never run -and depending on your code, it might seem like the username/password is cached!

If this could be the case, I suggest doing all Location-headers with absoulte URLs, domain and all.

Hope this helps. Another suggestion would be to log everything you're doing in the handlers and see if they actually run at all requests.

Mats