Relationship Graph
View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
07405 | Feature requests | Authentication | public | 2010-04-26 15:16 | 2021-05-10 11:33 |
Reporter | jelo | Assigned To | c_schmitz | ||
Priority | normal | Severity | feature | ||
Status | closed | Resolution | won't fix | ||
Summary | 07405: SSLencrypted Adminlogin without enforcing SSLencrypted access to the surveys | ||||
Description | The setting of $rooturl = "http://$_SERVER['HTTP_HOST'] only allows you to set https or http . No casewise SSLencryption. Often installations are using selfsigned certs which will produce cryptic messages beside adding load when just delivering surveys to respondents. A workaround is leaving the $rooturl empty. But that is causing problems with e.g. links in emails incorrect. To use rewrite url routine of the webserver is another. | ||||
Additional Information | A possible solution: Offer a separate admin url in the config.php With the separate admin url setting the SSL can be enforced when loggin in without causing any problems on the frontend side. | ||||
Tags | No tags attached. | ||||
Bug heat | 12 | ||||
Story point estimate | |||||
Users affected % | |||||
has duplicate | 10565 | closed | force HTTPS only for admins (not survey takers) |
Really funny to see opponents to this feature request. As long as SSL can be deactivated in Limesurvey, I cannot understand the reasons to oppose this request. BTW: Nearly six years have passed. I still see commercial surveys without SSL nearly everyday. |
|
Have to do it in plugin. Just need a better plugin event than 'afterPluginLoad' , beforeController is really a better idea for this. jelo : why plugin ?
|
|
added this to wiki as DenisChenu suggested here: Im not sure its the best solution - probably one can enhance this but this is what seems to work for me for now. Runs on both 2.0x and 2.5 ALL ADMIN TO SSLRewriteCond %{SERVER_PORT} 80 |
|
As far as commercial surveys without SSL goes: There are some people using some really old browsers that seem to get stuck with SSL in many server configurations. There are not much of such cases, but still - if you aim to measure the general population one would need as little systematic exclusion from the sample as we can get. Even the opposite. For example - while doing public opinion on web panels - it is essential to get hold of the part of the population that is less active, less educated etc, etc. And the ones with older browsers often might be part of this group. I am also doing non SSL links primarily dud to the small amount of respondents I would loose due to technical reasons. |
|
Thank you t6nnp6nn : the best solution is to do it in a plugin or in core. Your htaccess seems great for user who can do it :). Denis |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2016-03-30 19:51 | jelo | Note Added: 36851 | |
2016-03-31 09:18 | DenisChenu | Note Added: 36855 | |
2016-04-04 11:09 | DenisChenu | Status | acknowledged => new |
2016-04-04 11:09 | DenisChenu | Relationship added | has duplicate 10565 |
2016-04-04 12:08 |
|
Note Added: 36971 | |
2016-04-04 12:16 |
|
Note Added: 36972 | |
2016-04-04 12:23 | DenisChenu | Note Added: 36973 | |
2021-05-10 11:33 | c_schmitz | Assigned To | => c_schmitz |
2021-05-10 11:33 | c_schmitz | Status | new => closed |
2021-05-10 11:33 | c_schmitz | Resolution | open => won't fix |