Anonymous Login
2016-10-24 16:12 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
07405Feature requests[All Projects] Authenticationpublic2016-04-04 12:23
Assigned To 
Product Version 
Target VersionFixed in Version 
Summary07405: SSLencrypted Adminlogin without enforcing SSLencrypted access to the surveys
The setting of $rooturl = "http://$_SERVER['HTTP_HOST'] only allows you to set https or http . No casewise SSLencryption.

Often installations are using selfsigned certs which will produce cryptic messages beside adding load when just delivering surveys to respondents.

A workaround is leaving the $rooturl empty. But that is causing problems with e.g. links in emails incorrect.

To use rewrite url routine of the webserver is another.

Additional InformationA possible solution: Offer a separate admin url in the config.php

With the separate admin url setting the SSL can be enforced when loggin in without causing any problems on the frontend side.
TagsNo tags attached.
Attached Files

has duplicate 10565closed force HTTPS only for admins (not survey takers) 



jelo (reporter)

Really funny to see opponents to this feature request. As long as SSL can be deactivated in Limesurvey, I cannot understand the reasons to oppose this request.

BTW: Nearly six years have passed. I still see commercial surveys without SSL nearly everyday.


DenisChenu (developer)

Have to do it in plugin. Just need a better plugin event than 'afterPluginLoad' , beforeController is really a better idea for this.

jelo : why plugin ?
Because :
- If you have SSL : best is to force for whole
- If you have SSL : better using it in survey by default (Firtsname / email etc ...)
- Force ssl for admin can be done in .htacess (good htaccess) or good url rewriting.


t6nnp6nn (reporter)

added this to wiki as DenisChenu suggested here:

Im not sure its the best solution - probably one can enhance this but this is what seems to work for me for now. Runs on both 2.0x and 2.5

RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} myLimeFolder/index.php/admin
RewriteRule ^(.*)$$2 [R,L]


t6nnp6nn (reporter)

As far as commercial surveys without SSL goes:

There are some people using some really old browsers that seem to get stuck with SSL in many server configurations. There are not much of such cases, but still - if you aim to measure the general population one would need as little systematic exclusion from the sample as we can get. Even the opposite. For example - while doing public opinion on web panels - it is essential to get hold of the part of the population that is less active, less educated etc, etc. And the ones with older browsers often might be part of this group.

I am also doing non SSL links primarily dud to the small amount of respondents I would loose due to technical reasons.


DenisChenu (developer)

Thank you t6nnp6nn : the best solution is to do it in a plugin or in core. Your htaccess seems great for user who can do it :).


Issue Community Support
Only registered users can voice their support. Click here to register, or here to log in.
Supporters: DenisChenu, jelo
Opponents: user1, tringate, jjmartinez

-Issue History
Date Modified Username Field Change
2016-03-30 19:51 jelo Note Added: 36851
2016-03-31 09:18 DenisChenu Note Added: 36855
2016-04-04 11:09 DenisChenu Status acknowledged => new
2016-04-04 11:09 DenisChenu Relationship added has duplicate 10565
2016-04-04 12:08 t6nnp6nn Note Added: 36971
2016-04-04 12:16 t6nnp6nn Note Added: 36972
2016-04-04 12:23 DenisChenu Note Added: 36973
+Issue History