I think the issue is how the whole redirection trick works. If the browser does all the work, and the protocol allows you to pass the necessary authorization fields, it could happen. (Unfortunately, I don't know the answers to those questions).

I've dug around in the CGI.pm code, and the redirect() function will pass additional arguments along, so that will work. It's just a matter of finding out IF such arguments exist, and if so, what they are.