If I have more than one area to protect, (for example, phpmyadmin only I need to access, and another directory for members only to access) but I want to store the .htpasswd files above /htdocs.... is it as simple as creating a directory above /htdocs for each .htpasswd file for each protected directory?
Or does the fact that its a directory make it browsable?
Guess I could chmod it not to be eh?? Sorry.. typing out loud..
Just getting my feet wet with .htaccess, so if there is a better solution...I am all ears.

On further reading..maybe the require user "user" would work?

If you were to create a folder above htdocs, you'd have to make it web readable or else there would be no sense to create it and place a .htpasswd file in it.

Why don't you just place the .htpasswd file in the pass protected folder? Placing it above the htdocs, as I've been shown, really isn't anymore secure than placing it inside the protected directory.

Ah.. well I was going on some info I had read saying the .htpasswd file should be above the /htdocs directory... unless you create a directory that limits you to a single .htpasswd file.
The said directory would only hold the .htpasswd file.
The .htaccess in the "protected" directory would point to the directory holding the .htpassword file.

Having said that... if it is just as secure to place the .htpasswd in the protected directory... it makes things a lot easier...

I am all about easier.. :)

Forgive my newbieness...

You *can* put it above the htdocs area if you'd like. It's my personal preference, just because if someone wants it, they've got to go an extra step or two.

For example, your user root looks like:
/cgi-bin
/etc
/htdocs
/logs

Create a directory called "george" (or "foobar" or ...) and CHMOD it to 755.

In that directory, create as many password files as you need, they don't have to be named .htpasswd; .family, .members or even .yokels all work just as well. Just be sure to reference the correct filename in the .htaccess file that you place in the directory you're trying to protect.

When you create your .htaccess file, make sure the AuthUserFile line reads:
AuthUserFile /www/<first letter of your account user name>/<your account user name>/<your password file directory>/.<password file name>

I may be hazy on the naming convention there...I *believe* it's the primary account user name you defined when you signed up.

Anyhow, just thought I'd toss in my $.02 worth...hope it helps!

Robert

[updated after original post :
Apache.org highly recommends that you keep your .htpasswd files OUT of the web site structure. Found this out as I was cruising through on a different errand. RS]