With the Apache web server, the access to a particular directory can be password protected by placing a suitable .htaccess file in the dir.
That works OK for me, but the password is only requested once per browser session. Well, I'm dealing with sensitive data and I'm paranoid about it too.
Can the the timeout for re-requiring the password be configured? Could the lifetime even be zero, so that a password is required every time the URL is accessed?