View Issue Details

IDProjectCategoryView StatusLast Update
07405Feature requestsAuthenticationpublic2021-05-10 11:33
Reporterjelo Assigned Toc_schmitz  
Status closedResolutionwon't fix 
Summary07405: SSLencrypted Adminlogin without enforcing SSLencrypted access to the surveys
The setting of $rooturl = "http://$_SERVER['HTTP_HOST'] only allows you to set https or http . No casewise SSLencryption.

Often installations are using selfsigned certs which will produce cryptic messages beside adding load when just delivering surveys to respondents.

A workaround is leaving the $rooturl empty. But that is causing problems with e.g. links in emails incorrect.

To use rewrite url routine of the webserver is another.

Additional InformationA possible solution: Offer a separate admin url in the config.php

With the separate admin url setting the SSL can be enforced when loggin in without causing any problems on the frontend side.
TagsNo tags attached.


has duplicate 10565 closed force HTTPS only for admins (not survey takers) 




2016-03-30 19:51

partner   ~36851

Really funny to see opponents to this feature request. As long as SSL can be deactivated in Limesurvey, I cannot understand the reasons to oppose this request.

BTW: Nearly six years have passed. I still see commercial surveys without SSL nearly everyday.


2016-03-31 09:18

developer   ~36855

Have to do it in plugin. Just need a better plugin event than 'afterPluginLoad' , beforeController is really a better idea for this.

jelo : why plugin ?
Because :
- If you have SSL : best is to force for whole
- If you have SSL : better using it in survey by default (Firtsname / email etc ...)
- Force ssl for admin can be done in .htacess (good htaccess) or good url rewriting.


2016-04-04 12:08


added this to wiki as DenisChenu suggested here:

Im not sure its the best solution - probably one can enhance this but this is what seems to work for me for now. Runs on both 2.0x and 2.5

RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} myLimeFolder/index.php/admin
RewriteRule ^(.*)$$2 [R,L]


2016-04-04 12:16


As far as commercial surveys without SSL goes:

There are some people using some really old browsers that seem to get stuck with SSL in many server configurations. There are not much of such cases, but still - if you aim to measure the general population one would need as little systematic exclusion from the sample as we can get. Even the opposite. For example - while doing public opinion on web panels - it is essential to get hold of the part of the population that is less active, less educated etc, etc. And the ones with older browsers often might be part of this group.

I am also doing non SSL links primarily dud to the small amount of respondents I would loose due to technical reasons.


2016-04-04 12:23

developer   ~36973

Thank you t6nnp6nn : the best solution is to do it in a plugin or in core. Your htaccess seems great for user who can do it :).


Issue History

Date Modified Username Field Change
2016-03-30 19:51 jelo Note Added: 36851
2016-03-31 09:18 DenisChenu Note Added: 36855
2016-04-04 11:09 DenisChenu Status acknowledged => new
2016-04-04 11:09 DenisChenu Relationship added has duplicate 10565
2016-04-04 12:08 user14106 Note Added: 36971
2016-04-04 12:16 user14106 Note Added: 36972
2016-04-04 12:23 DenisChenu Note Added: 36973
2021-05-10 11:33 c_schmitz Assigned To => c_schmitz
2021-05-10 11:33 c_schmitz Status new => closed
2021-05-10 11:33 c_schmitz Resolution open => won't fix