setting .htaccess on cgi-bin directory

I have a ShopSite Shopping cart program and it uses .htaccess to login the program. It is a perl program. I have switched to a new ISP and I am now administrating the apache server. On the old server it allowed the .htaccess in the cgi-bin. The ISP who set the server does not know how to change apache to allow .htaccess in anything but the web directory. Does anybody know how to allow additional directories (mainly the cgi-bin) to have .htaccess and .htpasswd abilities.

Thanks in advance. If you need anymore information just let me know and I will give it.

John Burris
webmaster

When your ShopSite Shopping cart program tells you to put non CGI stuffs into your cgi-bin directory, I have to tell you not to use them, because their software is probably not written with security in mind.
What is cgi-bin for?
That's a centralize location for you to place all your CGI scripts into, so CGI scripts don't reside all over your docroot.
When your cgi-bin is ScriptAlias'ed, this enforces you to follow cgi-bin security standard. That is, you cannot place anything beside true CGI scripts into your cgi-bin directory, no nav.gif, no env.php, no .htaccess, no .htpasswd, no foobar.html and only true CGI scripts, nothing else.

>> how to allow additional directories (mainly the cgi-bin) to have .htaccess and .htpasswd abilities

You should place your .htpasswd above your docroot. You also don't need .htaccess because things that you put in .htaccess can always be defined in httpd.conf. If you must place them in cgi-bin, just don't ScriptAlias your cgi-bin directory and give it a Options +ExecCGI.
When you need to put non-CGI scripts or mkdir a directory under cgi-bin, why bother to use cgi-bin in the first place, as that defeats the whole security purpose for making a ScriptAlias directive.