I am about to build authorisation into a Foxweb-based site and I like the idea of using the Auth.authlist property.  To prevent the user editing Authenticate.fwx, I am thinking of allowing the user/password list to be kept in a plan text file, which is read into the Auth.authlist property by FILETOSTR().  Where is the best place to store this .txt file?  I can easily keep it outside of the web tree, but would it be safe-enough in \programroot\subdir ?  Would it be safer on a totally different area (the data is already on a different drive letter)?

The vast majority of pages within the website will require authorised access only.  If I run Authenticate.fwx from FW_enter.prg, is this enough to prevent any .fwx script being run if authentication is not successful?  Do I have to return to .F. if authorisation is unsuccessful or will  script execution be terminated automatically?

Any comments would be appreciated.

Alan Harris-Reid