To clarify any possible confusion:
in reply to Re: Re: Re: cgi and https (mildly off topic)
in thread cgi and https (mildly off topic)
.htaccess does affects perfomance since it is parsed on each request. This is correct. But actually it is not related directly to HTTP authorization. This perfomance hit occurs for any request for file in directory with .htaccess file whenever that directory is protected with HTTP authorization or not.
HTTP authorization commands can be put both into .htaccess and into main apache config file. In both cases authorization should be conducted on each request because of stateless nature of HTTP protocol.
I think in most cases having HTTP authorization commands in .htaccess or in main config doesn't affect perfomance so much as proper selection of auth module. Certantly plain text files is much more slower than indexed database for big number of users.