Topic: .htpasswd location - absolute vs relative

[food monkey]

in the forums it recommends putting the .htpasswd file above the documentroot directory. it seems that this would then require an absolute path.

if i'm on a webhosting service i don't have the luxury of setting docroot in the apache httpd.conf file.

i'm running wamp on my dev test box and hosting is running linux so i won't have any control over the absolute path to .htpasswd. i would doubt apache would let me enter a relative path that goes above the docroot dir.

am i missing something here?

oh and any recommendations on whether to use SHA1 or SHA2 for the password hash?

cheers guys (&gals).

[James Blond]

Relative paths can be used, but they can get quite complicated since they are relative to the ServerRoot.

For the encryption question see How Apache Encrypted Passwords really work

[food monkey]

yeh don't i know it. but surely the webhost would simply be using the redirect statement to divert any requests for my public web address to the directory space they've set up for me.

what's to stop me putting just an .htaccess file in that dir with a redirect to my "real" rootdir and putting the .htpasswd file in the aforementioned dir?

nobody would see that first directory and it wouldn't be in the directory tree of the website's docroot.