just a quick post, i'm on my way to bed, i hope it works instantly or that others can help you out if i'm not around:

Make this the content of your .htaccess in stead:
----------------
AuthName "We require your authorisation."
AuthType Basic
AuthUserFile /users/somedir/somedir2/.htpasswd
require valid-user
----------------

that is, without the "----------------" lines.

The limits that you have set up cover only GET and POST - this one blocks all.

The valid-user is the list of users as stated in your .htpasswd file.

It doesn't seem as if you have set up groups, so i deleted the AuthGroupFile line.

Hope this helps.
/claus

It still doesn't recognize me as a user :(

Sorry about that, i had hoped it would be an instant fix, but it wasn't. Unfortunately, these things can be hard to troubleshoot as server setups tend to be different. These questions might help:

1) are you running an apache web server? on some kind of *nix (linux, unix, freebsd...)?

2) does your host support the use of .htpasswd and .htaccess? (is your account configured with "AllowOverride AuthConfig")

3) did you upload the files as ascii?

4) are both files plain ascii text and no html (and no hidden "control characters" either)?

5) did you set permissions on both files (chmod) to at least 644?

6) The directory that holds your .htpasswd, is it the same as that holding your .htaccess, or, is this path to your .htpasswd the right one? /users/somedir/somedir2/.htpasswd

7) is the "somedir2" protected from reading in some way - by another .htaccess directive somewhere on your server?

8) is the "somedir2" readable by .htaccess? (chmod it to 755 )

If you can say yes to all this, it all seems right. I don't know the password generator that you've used, but i do not think that this one is the problem. You could try using another; do a search for password generator or base64-converter.

You could also try try setting permissions on all fiels and directories to 777 and then 775, 755 and so on until you reach the smallest number that works.

Or just try deleting the htpasswd file, make up some new user names, get the new base64-coded passwords and try again.

Hope this helps
/claus

I've "upgraded" and now when I click the link I get in without a user/pwd pop-up, other people do get it, but when they enter name1/pwd or name2/pwd is still doesn't know them. :(
Any clues about what might be going wrong?

.htaccess
AuthType Basic
AuthName "We require your authorisation."
AuthUserFile /users/somedir1/somedir2/.htpasswd
AuthGroupFile /users/somedir1/somedir2/groups
require group webmaster
Order allow, deny
Allow from xx.xx.xx.xx [my own ip]
Satisfy any

groups
webmaster: name1 name2 name3

.htpasswd
name1:pwd
name2:pwd

[Wrote this while Claus posted his former message, gonna check your points right away, tnx. for the suggestions.]

1) Yes, running an apache web server.
2) Support of .htxxx? .htaccess works, so think so. Send email to host to check it.
3) Yes, files upload as ascii.
4) Yes, both files are plain ascii.
5) Yes, both files permissions are 644.
6) Directory of .htpasswd and .htaccess are different.
To be sure I now placed the .htpasswd in /test.
7) I've created only 1 .htaccess file.
8) "somedir2" (now called /test) is chmod 755.

I've found and used a base64-convertor, deleted and recreated my .htpasswd file with new user names and passwords.

I changed all chmod's to 777.

I changed the path to directory /test to ../test, ../../test, ../../../test etc. just in case the dir was wrong.

STILL doesn't work.

I'm just hoping the admins of my site have set some variable causing this not to work or else I'm at a total loss.

[Later note: I've removed my groups file, then also my .htpasswd file and finally also my /test directory. Accessing the html page still looks exactly the same. Which is a shame, because that shows that even if .htaccess can't find the needed file, it doesn't give an error message, so I still can't be 100% sure it finds my .htpasswd file.]

I've just re-read some Apache docs to get things straight: You can clearly make the "Allow" directive work, so AllowOverride must be implemented. And, as you can also make the "AuthName" work, the AuthConfig should also be implemented.

So, it seems that you really should be able to do what you are trying to do.

Now you've made it a bit more complex, by adding a group and an Allow-statement, but it still makes perfect sense. Try deleting this line, though:

Order allow, deny 

It does not make any difference here. Remember, you've got the "Satisfy any" set, so either your IP is allowed or you will be asked for a password.

Plus: If all users in your password file is also in your group file, you really don't need two files, you could do without the group file. Anyway, there's nothing wrong with what you've done here either. oh.. perhaps the group file should not list users that are not in the password file also.

I really don't know what else could be of any help right now.
/claus

Plus: If all users in your password file is also in your group file, you really don't need two files, you could do without the group file.

Don't understand the above, where would the passwords go? Into the group file? So:
webmaster: name1 name2
name1:pwd
name2:pwd
?

Removed the names that were in one file and not in another, they got the same names now.

The host webmaster just fixed my problem in a different way, perhaps that helps as to what is going wrong with my files? He made this .htaccess file and it works:

#Access file
order allow,deny
allow from all
require group [some group name]
Authname WebmasterSection
Authtype Basic
AuthAuthoritative off

The group name is our password file for the site, so our login names/pwd for the site are now the same as for just a piece of html page, which I don't like.

I mailed him back, thanked him for the fix, but also said that I didn't like it and if he could tell me how to fix my own files (giving me control of usernames/groups/passwords etc.)

Thanks again for your reaction Claus, perhaps there is something in the above file that gives you a clue as to what is going wrong with my own files?

Don't understand the above, where would the passwords go? Into the group file?

no, just like i wrote in post 2:

AuthUserFile /users/somedir/somedir2/.htpasswd 
require valid-user 

You only need the one password file, if all your users are in the same group anyway. The "valid-user" stuff makes the server read the password file.

perhaps there is something in the above file that gives you a clue as to what is going wrong with my own files?

The file that your host made looks rather strange to me. Actually it does not make very much sense. But your host knows your server setup better than me, and i think he must have had some reason for the things he has done.

Anyway, I'm glad to hear that he responded quickly, that's always a great help :)

I don't quite understand what you mean by this:

The group name is our password file for the site, so our login names/pwd for the site are now the same as for just a piece of html page, which I don't like

/claus

Hhmm, misread what you wrote, you wrote you can do without the groups file and I somehow read do without the password file (leaving only group file). See what you mean now.

>I don't quite understand what you mean by this:
>
>>The group name is our password file for the site, so our >>login names/pwd for the site are now the same as for >>just a piece of html page, which I don't like

The group file that is now used is the file that contains all users we make for our site (including our own accounts to modify the site).
(virtually that's the /etc/passwd file for us)
So let's say I want to give you (Claus) access to the html page I'm protecting with .htaccess that means I'll have to give you an account on our server, because that's the only way I can create a user/pwd combo.
It also means that people can try to guess our site password by trying to enter the protected html page (scripting for password).

cphoenixc now i get it, and i don't like it either:

that means I'll have to give you an account on our server

This is a very bad solution. Not only is it not very practical, it is also very much a security risk.

Now i understand some of the weird stuff your host sent you. You probably have some kind of web interface to add new users from - interacting with some database. This implies that you have limited control over your own web space even though your host tells you something else.

You will probably not be able to make a .htaccess solution "the right way" - but probably your host can suggest some "other way" to do it. Do not accept the suggestion they just made though (post #8), it's simply an invitation for trouble.

I can't really suggest "other ways", as i do not know the necessary details of the hosting setup.

I feel very bad about this. If my host suggested a security breach like that to me, it would sound like they were saying: "Hey, i'm an internet host, but i really don't know what i am doing and i don't care about my customers". My personal reaction would be to switch to another host asap.

I don't know if i should recommend you to do the same - it's not always an easy move to make, and if your host can offer you a safer method (or you can get by without one) it could be wiser to stick with the host. At least until you have had a chance to find a good alternative and prepared the move to avoid too many complications.

Anyway, try to explain that you just want to grant access to a limited area and not the whole file system. It is not a wish that should be unusual for an internet hosting company. I hope that the host will be able to suggest something so that you do not have to move to another.

Although i know a few things about htaccess i do not know how to help you out on this one. Possibly your host is the only one that can help. I'm sorry, but at least i gave it a good try.

Here's something else:

It's not at all as safe as htaccess and you need a javascript enabled browser to use it, but this is not the easiest script to bypass and it's flexible too:

JavaScript password protection and session management [codeproject.com]

It just might be "overkill" for your purpose, so if you find the setup too complicated, there are many others like it that are simpler, but also easier to get around. Just search for "javascript password protection" or something like that at your preferred SE.

/claus

Well, our host looked at it and it's fixed. Simple problem was that I wasn't using the correct path to the .htpasswd file...
Our main directory is ".", but the path I had to use is:

/dir/anotherdir/anotherdir2/.[path to pwd file]

So I have to use 3 dirs above our site which names I didn't even know (can't see them).

So it wasn't the contects of the files, was doing "everything" right, just not using the correct path.

The file our host gave us now looks like this:

order deny,allow
deny from all
AuthType Basic
AuthUserFile /correctpath
AuthName "Test authenticatie"
require valid-user
satisfy any

Which I want to turn into:

AuthType Basic
AuthName "We require your authorisation."
AuthUserFile /correctpath/.htpasswd
AuthGroupFile /correctpath/groups
require group webmaster

Allow from xx.xx.xx.xx [my own ip]
Satisfy any

groups
webmaster: name1 name2 name3
group2: name4 name5

.htpasswd
name1:pwd name2:pwd name3:pwd name4:pwd name5:pwd

Claus, I removed the "allow, deny" line as you suggested, but mainly cuz I don't 100% grasp their influence yet.

Any comments?