If you want to do it with code on the page, then it has to be .php. You can use standard challenge-response in your .htaccess file to protect an html page, but you wouldn't be able to control the login experience or use a database. See:
http://www.javascriptkit.com/howto/htaccess3.shtml