Both my Apache installs strip Authorization headers (even though they're not CGI implementations) and don't populate HTTP_AUTHORIZATION.

Using apache_request_headers when available, would seem to be more robust.