I've developed my first password protected back-end CMS involving sessions. The customer wants to be able to login from within the company as well as from home or elsewhere. No issue there.

I've got a cron script in there and a log file that are not part of the password protected session (for obvious reasons). I do not want those to be accessible via the web by robots/spiders/hackers.

Someone said I should use .htaccess. However, I don't see how I can allow certain IP addresses if I don't know what they will be.

Does this situation call for using .htpasswd? (fyi: I don't have access to the apache config)

Thanks in advance.