View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|09373||Feature requests||[All Projects] Security||public||2014-11-25 16:34||2019-02-06 10:42|
|Target Version||Fixed in Version|
|Summary||09373: Prevent people from login into administration from everywhere|
It would be great for security reasons if the administration view could be hid from people outside - or the other way round - one could set individual IP addresses, IP ranges, DNS names, or parts of DNS names (like *.mydomain.tld) that are allowed to get access to the admin view.
The German Office for data security wants us to do so.
.htaccess is not the way.
|Tags||No tags attached.|
And why .htaccess is not the way ?
I really think it must be done via htaccess or external plugin, not in LS core.
PS: try with beforeLogin event : http://manual.limesurvey.org/BeforeLogin#beforeLogin
PS: restrict by IP is not a security .... you don't know IP spoofing ?
.htaccess doesn't prevent someone from login in to the admin area from outside your LAN, actually!
This just keeps people from getting the index file from example.tld/admin/ directory.
If someone knows that this will be reinterpreted to http://example.tld/index.php/admin/authentication/sa/login instantly, he can still log in to your limesurvey administration.
This isn't better than .htaccess in the ../admin/ folder with 'deny all'.
I know IP spoofing. but no one will be able to pretend using a just local usable RFC address from the outside. This address will not be routed.
Therefor IP filter is a propriate way to secure against attempts from outside.
How does the 'beforeLogin' work? I'm no php developer.
With htaccess and rewrite condition:
Usage of plugin:
If you need help for PHP dev: http://www.limesurvey.com/
While LS uses the same index.php for all reasons, by usage of .htaccess you will keep everyone from outside using everything in LS (also surveys).
I looked through your wordpress login script but I cants see how I would find out the remote IP address and filter it.
Could you explain?
Oops, forgot to mention:
RewriteCond isn't allowed on our webserver.
Please : http://www.giyf.com/ : php find remote IP address
ANd again : need PHP dev for LimeSurvey : http://www.limesurvey.com/
I found a way that fits my requirements for now.
My solution is made with php. I just need to check the changes after every update.
For my opinion it still would be greate if that option would come into the standard GUI to set easyly for everyone.
To disable the "password forgotten" lnk function would be a good idea too.
@htwsaar, can you outline your solution in more details so others can benefit from it as well?
Here is the simple way I did it:
You need to change your /application/controllers/admin/authentication.php
$IPRANGE = substr ($_SERVER['REMOTE_ADDR'],0,7);
where XXX.XX. and YYY.YY. are the first characters of your internal IP-ranges (LANs).
Caution: Check authentication.php after every update if it got exchanged by the update. You may have to customize it again.
@htwsaar: Thanks a lot for your feedback!
Just a short recommendation: When switching to a newer Limesurvey versions it makes sense to create a plugin for such features. That way you are future safe when updating later and do not have to edit the source code files.
@Mazi: Thanks for that idea with a plugin.
For a simple example of action done only for admin page
@DenisChenu. For my opinion this is not what we wanted to have as result.
I only give sample …
I don't say : do it like this …
|2014-11-25 16:34||htwsaar||New Issue|
|2014-11-26 10:58||DenisChenu||Note Added: 31101|
|2014-11-26 10:59||DenisChenu||Note Edited: 31101||View Revisions|
|2014-11-26 11:00||DenisChenu||Note Edited: 31101||View Revisions|
|2014-11-26 18:02||htwsaar||Note Added: 31111|
|2014-11-26 18:34||DenisChenu||Note Added: 31112|
|2014-11-26 18:54||htwsaar||Note Added: 31113|
|2014-11-26 18:56||htwsaar||Note Added: 31114|
|2014-11-26 19:33||DenisChenu||Note Added: 31115|
|2014-12-04 12:44||htwsaar||Note Added: 31164|
|2014-12-05 17:35||jelo||Note Added: 31184|
|2018-12-03 17:20||Mazi||Note Added: 49861|
|2018-12-04 11:02||htwsaar||Note Added: 49873|
|2018-12-04 11:08||Mazi||Note Added: 49874|
|2018-12-04 11:12||htwsaar||Note Added: 49875|
|2018-12-04 11:56||DenisChenu||Note Added: 49876|
|2018-12-04 14:43||htwsaar||Note Added: 49878|
|2018-12-04 16:03||DenisChenu||Note Added: 49880|