Hi...

I would like to protect a file from download, I would permit the download only to people who have correct username and password.

Do you think that the .htaccess way is quite secure?

.htaccess works fine, until one day you make a typo in the relevant config file and Apache begins to ignore it, or you give another web server a try without remembering that lighty and nginx don't support .htaccess files.

It's much safer to keep your stuff outside of the document root altogether. PHP scripts and other server-side programs would have no problem serving it.

I concur.

Most of my static content is actually kept outside the web root and served by a php wrapper.

It's not just a possible mistake in configuration, it is possible vulnerabilities in Apache or a module you have loaded that may allow an unauthorized user to grab the content.

A classic example is the HFS+ file system Apache bug when OS X first shipped. HFS+ is case preserving but not case sensitive, so people could get around .htaccess limitations by changing the case of the request. Apache would see a request for /reStricted/file.ext and not apply the .htaccess rules that restricted the directory /restricted/ because Apache didn't know they were seen as the same directory on HFS+ systems.