View Issue Details

This bug affects 1 person(s).
 12
IDProjectCategoryView StatusLast Update
07405Feature requestsAuthenticationpublic2021-05-10 11:33
Reporterjelo Assigned Toc_schmitz  
PrioritynormalSeverityfeature 
Status closedResolutionwon't fix 
Summary07405: SSLencrypted Adminlogin without enforcing SSLencrypted access to the surveys
Description

The setting of $rooturl = "http://$_SERVER['HTTP_HOST'] only allows you to set https or http . No casewise SSLencryption.

Often installations are using selfsigned certs which will produce cryptic messages beside adding load when just delivering surveys to respondents.

A workaround is leaving the $rooturl empty. But that is causing problems with e.g. links in emails incorrect.

To use rewrite url routine of the webserver is another.

Additional Information

A possible solution: Offer a separate admin url in the config.php

With the separate admin url setting the SSL can be enforced when loggin in without causing any problems on the frontend side.

TagsNo tags attached.
Bug heat12
Story point estimate
Users affected %

Relationships

has duplicate 10565 closed force HTTPS only for admins (not survey takers) 

Users monitoring this issue

There are no users monitoring this issue.

Activities

jelo

jelo

2016-03-30 19:51

partner   ~36851

Really funny to see opponents to this feature request. As long as SSL can be deactivated in Limesurvey, I cannot understand the reasons to oppose this request.

BTW: Nearly six years have passed. I still see commercial surveys without SSL nearly everyday.

DenisChenu

DenisChenu

2016-03-31 09:18

developer   ~36855

Have to do it in plugin. Just need a better plugin event than 'afterPluginLoad' , beforeController is really a better idea for this.

jelo : why plugin ?
Because :

  • If you have SSL : best is to force for whole
  • If you have SSL : better using it in survey by default (Firtsname / email etc ...)
  • Force ssl for admin can be done in .htacess (good htaccess) or good url rewriting.

user14106

2016-04-04 12:08

  ~36971

added this to wiki as DenisChenu suggested here:

https://manual.limesurvey.org/Workarounds:_Further_solutions_provided_by_LimeSurvey_users#Force_HTTPS_only_for_admins_.28not_survey_takers.29_with_.htaccess

Im not sure its the best solution - probably one can enhance this but this is what seems to work for me for now. Runs on both 2.0x and 2.5

ALL ADMIN TO SSL

RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} myLimeFolder/index.php/admin
RewriteRule ^(.*)$ https://myserver.com/myLimeFolder/index.php/admin/$2 [R,L]

user14106

2016-04-04 12:16

  ~36972

As far as commercial surveys without SSL goes:

There are some people using some really old browsers that seem to get stuck with SSL in many server configurations. There are not much of such cases, but still - if you aim to measure the general population one would need as little systematic exclusion from the sample as we can get. Even the opposite. For example - while doing public opinion on web panels - it is essential to get hold of the part of the population that is less active, less educated etc, etc. And the ones with older browsers often might be part of this group.

I am also doing non SSL links primarily dud to the small amount of respondents I would loose due to technical reasons.

DenisChenu

DenisChenu

2016-04-04 12:23

developer   ~36973

Thank you t6nnp6nn : the best solution is to do it in a plugin or in core. Your htaccess seems great for user who can do it :).

Denis

Issue History

Date Modified Username Field Change
2016-03-30 19:51 jelo Note Added: 36851
2016-03-31 09:18 DenisChenu Note Added: 36855
2016-04-04 11:09 DenisChenu Status acknowledged => new
2016-04-04 11:09 DenisChenu Relationship added has duplicate 10565
2016-04-04 12:08 user14106 Note Added: 36971
2016-04-04 12:16 user14106 Note Added: 36972
2016-04-04 12:23 DenisChenu Note Added: 36973
2021-05-10 11:33 c_schmitz Assigned To => c_schmitz
2021-05-10 11:33 c_schmitz Status new => closed
2021-05-10 11:33 c_schmitz Resolution open => won't fix