If the referring URL also used the same type of user:password authentication, you could always extract both the user & password from the $ENV{'HTTP_REFERER'} using a REGEXP.
UPDATE: I should have tried it first. NO worky. It appears that Netscape (and I'm guessing other browsers) remove this info from the referring url string before sending the request.