.htaccess files are not by default ever returned by the server (Apache anyway), so even if someone requested it the server would say it didn't exist. And, if someone did get hold of it all they would normally see is the path to the location of the file that holds your authorised users' details, this *should be* outside the server's document-tree anyway so they can't get to your encrypted password list, or username list (if you have one).
Mind you, unless you're using SSL its all transmitted without encryption so its possible to sniff the traffic, although not that easy on the web (not compared to a LAN anyway)
cheers
Jamie...
|