There is a third way of enforcing user authentication that I'll touch on before wrapping up this section -- the .htaccess file.

Keep in mind as you read through the following material that the .htaccess file is not restricted to authentication directives (although this is how it's most commonly used). Almost all the directives allowed in directive blocks and the main server configuration section of httpd.conf can also be placed in this file.

Any time you make changes to httpd.conf, you must restart the server before those changes can take effect. This is because Apache only reads its configuration file at startup. As an alternative, you can place changeable directives (including authentication statements) in .htaccess. When it exists, the server reads this file at each access. The advantage of using an .htaccess file is flexibility -- the webmaster (or Web owner, if the file is placed in the Web's document root) can edit entries here and have them take effect without requiring a restart. The disadvantage is a serious degradation in performance as the file must be parsed and the directives there analyzed before every request is served.

The name .htaccess is used by convention, but you can call this file anything you want. Just make sure you tell Apache what access control file to look for. The directive is AccessFileName filename (for example, AccessFileName .htaccess .myaccess1 .otheraccess2) and you can place it anywhere in the main server configuration section of httpd.conf. Adding this directive requires a restart, and in most cases, also requires the client browser to be restarted to clear password caching.