Hi. There is very little you can do to the htaccess popup screen. But if you wanted a different system, you could make your login screen look whatever you wanted it to be.

Look into database authentication methods (or even text files would work) with such languages as ASP, JSP, and PhP.

Here you create a simple HTML form and validate the input fields the user sends. If valid, the user enters. If not, they go away.

Watch out for any client-side process though - all validation needs to be server side.

the problem is that i'd like htaccess to handle permission to access everything under the directory in which it resides but i'd like to customise the login panel, preferably using my own html page.

to handle authentication to access every page under a directory would be a lot of unnecessary work if htaccess can do that for me!

just a thought but could i implement my own form of access/deny by dynamically creating a list of trusted ip addresses, putting this in the .htaccess file and somehow setting these ips as the only visitors allowed in all child directories? if so could someone advise what the entries would look like in the .htaccess file. would it be safe to dynamically modify the .htaccess file? i'd be worried about corrupting it if site traffic were high.

thanks in advance

sounds too complicated.

With a portal type authentication like I described you don't really have to do anything for each page, just a line or two of code.

sorry txbakers, i obviously didn't understand your solution.

if i have a directory structured site with hundreds of web pages, what would stop a user directly typing a url into their browser and going to a page deep down in the directory, bypassing the login page? don't i need htaccess to stop that?

otherwise if i maintain a list of valid users, with ip address, won't i have to check this access table, using ssi or something similar, every time they request a new page?

sorry if i'm asking dumb questions but authentication is new to me.

The authentication applies to all subdirectories below the one you protect. (Apache reads all the directories all the way back up to the root level)

You might want to take a look at these:
[httpd.apache.org...]
[httpd.apache.org...]

In the second article:

How can I change what the password box looks like?

Answer:

Unfortunately, these things are features of the browser, and cannot be controlled from the server side. If you want the login to look different, then you will need to implement your own authentication scheme. There is no way to change what this login box looks like if you are using basic authentication.

Part 13.7 of the Mod_perl Developer's Cookbook details writing your own authentication mechanism that runs off basic auth like your .htaccess file does, but allows you to change the standard pop-up box for user name and passwords. It also allows you to store username/passwords (and groups and the like) in something other than a flat file, how to log people out using basic authentication, and lots of other tricks. The Mod_perl Developer's Cookbook is available at all the normal book places and there's a site about it at:
[modperlcookbook.org...]

I personally have found that Apache::AuthCookie provides me with a better alternative. You can find the good stuff about it here:
[perldoc.com...]

Just another reason why I can't understand how anyone lives without mod_perl in their apache installation.

What I do is create an "application.php" script that I include at the very top of every script in an "application" on my website. It takes care of user authentication where appropriate on every page of the site by using sessions.

If they jump to a page by typing the URL, the application.php script checks for their login session, if it doesn't exist, forces them to the login script.

Another choice is to use a redirect on the directory so that all requests go through a single point of entry.

I use a login page and custom php auth scripts. I encrypt a cookie and check it on each page. It sounds slow but it is very fast. If it doesn't authenticate you get bounced.

thanks for the info everyone, i'd better get reading/scripting!