OK, after a bit of research (RFC 2617 - HTTP Authentication), I've figured it out.

The browser only pops up the basic authentication dialog if it receives an HTTP_UNAUTHORISED(401) return status and a WWW-Authenticate header.

So instead, you can do what Apache::Cookie does:

• Unauthenticated user:

  return an HTTP_FORBIDDEN (403) status and use $r->custom_response() to send them the HTML of your login form

• Authenticated user:

  return OK, and apache will send them the file

Clint