basic auth and mod-rewrite

[John Michael <jo...@acadiacom.net>]

I have a probem with bot script and brute force attacks.  I wrote a script
that stops about 95% of attacks.  However, there a still a couple of guys
out there that do ip spoofing.
I tried using  .htaccess file like it is below hoping that the rewrite
directives from mod-rewrite would require the user to come from a certain
page first.  That is why I put the rewrite stuff at the top. However, it
does not.  It still ask for user credentials and then the rewrite stuff
kicks in.

Finally, my question.  How can I get the .htaccess file to do the
mod-rewrite directives first and then do user authentication.  This would
stop bot scripts that at least didn't have the HTTP_REFERER env. variable
set correctly.  Is it possible.

######## my .htaccess file below starts here #######################
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://mydomain.com/login/ [NC]
RewriteRule /* http://mydomain.com/ [R,L]


AuthUserFile /path/to/my/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName 'Protected Area'
AuthType Basic

<Limit GET PUT POST>
require valid-user
</Limit>

#added for unhurler
ErrorDocument 401 /cgi-bin/unhurler/unhurler.pl

################ ends here #######################################
Thanks in advance
--
John Michael