Apache seems to keep track of user sessions but doesn't use cookies.

Nope, no session, at least not in the server. The web browser simply sends the username and password with each request.

and oh! $ENV{'REMOTE_USER'} works better than amw1's %ENV{'REMOTE_USER'} :)