View Issue Details

IDProjectCategoryView StatusLast Update
09373Feature requestsSecuritypublic2020-07-06 16:06
Reporterhtwsaar Assigned To 
Status newResolutionopen 
Summary09373: Prevent people from login into administration from everywhere
DescriptionIt would be great for security reasons if the administration view could be hid from people outside - or the other way round - one could set individual IP addresses, IP ranges, DNS names, or parts of DNS names (like *.mydomain.tld) that are allowed to get access to the admin view.

The German Office for data security wants us to do so.

.htaccess is not the way.

TagsNo tags attached.




2014-11-26 10:58

developer   ~31101

Last edited: 2014-11-26 11:00

View 3 revisions

And why .htaccess is not the way ?

I really think it must be done via htaccess or external plugin, not in LS core.

PS: try with beforeLogin event :

PS: restrict by IP is not a security .... you don't know IP spoofing ?



2014-11-26 18:02

reporter   ~31111

.htaccess doesn't prevent someone from login in to the admin area from outside your LAN, actually!

This just keeps people from getting the index file from example.tld/admin/ directory.

If someone knows that this will be reinterpreted to http://example.tld/index.php/admin/authentication/sa/login instantly, he can still log in to your limesurvey administration.

This isn't better than .htaccess in the ../admin/ folder with 'deny all'.

I know IP spoofing. but no one will be able to pretend using a just local usable RFC address from the outside. This address will not be routed.

Therefor IP filter is a propriate way to secure against attempts from outside.

How does the 'beforeLogin' work? I'm no php developer.
Would be fine if that would be part of the Administration GUI.


2014-11-26 18:34

developer   ~31112

With htaccess and rewrite condition:
RewriteCond %(REMOTE_ADDR) !^192\.168\.0
RewriteCond %{REQUEST_URI} admin
RewriteRule .* index.php

Not tested

Usage of plugin:
beforeLogin :
You can surely use a redirect here or throw a 401 error.

If you need help for PHP dev:


2014-11-26 18:54

reporter   ~31113

While LS uses the same index.php for all reasons, by usage of .htaccess you will keep everyone from outside using everything in LS (also surveys).
Thats not what most of users want.

I looked through your wordpress login script but I cants see how I would find out the remote IP address and filter it.

Could you explain?

Thank you.


2014-11-26 18:56

reporter   ~31114

Oops, forgot to mention:

RewriteCond isn't allowed on our webserver.


2014-11-26 19:33

developer   ~31115

Please : : php find remote IP address

ANd again : need PHP dev for LimeSurvey :


2014-12-04 12:44

reporter   ~31164

I found a way that fits my requirements for now.

 My solution is made with php. I just need to check the changes after every update.

For my opinion it still would be greate if that option would come into the standard GUI to set easyly for everyone.


2014-12-05 17:35

partner   ~31184

To disable the "password forgotten" lnk function would be a good idea too.
When we talk about spoofing we have to think about sniffing too.


2018-12-03 17:20

partner   ~49861

@htwsaar, can you outline your solution in more details so others can benefit from it as well?


2018-12-04 11:02

reporter   ~49873

Here is the simple way I did it:

You need to change your /application/controllers/admin/authentication.php
using the following lines (i.e.):

$IPRANGE = substr ($_SERVER['REMOTE_ADDR'],0,7);
switch ($IPRANGE) {
    case "XXX.XX.":
    case "YYY.YY.":
        die ('Administrative GUI only available within the local network!

where XXX.XX. and YYY.YY. are the first characters of your internal IP-ranges (LANs).
If you have just 1 LAN (like just use one case. If you have more, use more.

Caution: Check authentication.php after every update if it got exchanged by the update. You may have to customize it again.


2018-12-04 11:08

partner   ~49874

@htwsaar: Thanks a lot for your feedback!

Just a short recommendation: When switching to a newer Limesurvey versions it makes sense to create a plugin for such features. That way you are future safe when updating later and do not have to edit the source code files.


2018-12-04 11:12

reporter   ~49875

@Mazi: Thanks for that idea with a plugin.
Actually I don't know about plugins. How would I manage that? Is there au manual on how to use plugins?


2018-12-04 11:56

developer   ~49876


For a simple example of action done only for admin page


2018-12-04 14:43

reporter   ~49878

@DenisChenu. For my opinion this is not what we wanted to have as result.
We don't want people from outside the LAN (IP based) to be able to see the admin login page and log in.


2018-12-04 16:03

developer   ~49880

I only give sample …

    public function beforeControllerAction()
        if(($this->event->get('controller')=='admin' && $this->event->get('action')!='authentication'))
            if(!$this->_yourFunctionToTest() {
I don't say : do it like this …


2020-04-27 18:37

reporter   ~57399

I'm using .htaccess for the whole site so users that don't have the user and password will not see anything.
Now I want to remove it from the homepage, and just leave it in the admin login with the .htaccess password.
Which directory do I need to protect?


2020-04-27 20:11

partner   ~57401

We can provide a plugin similar to this one ( but for the admin backend.
Would that help? Then please write to me at


2020-04-27 21:11

reporter   ~57404

I prefer to use simple thing, like protecting just the directory this link is coming from ""


2020-05-11 10:04

reporter   ~57659

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R,L]

AuthType Basic
AuthName "Access to /mysite/"
AuthUserFile /directory of htpasswd
Require user Jd4g5G

AuthGroupFile /dev/null

SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI index.php/admin/authentication/sa/login !noauth
SetEnvIf Request_URI index.php !noauth

  Require env noauth
  Require valid-user


2020-07-06 14:37

partner   ~58722

Since this feature request is still marked "new" but there seems to be a need for tools to restrict access to Limesurvey, we have now made our "IP range login" Limesurvey plugin available at


2020-07-06 16:06

reporter   ~58725

I use this one for redirecting users to a message page of "site in maintenance" and I can continue in admin area:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R,L]

AuthType Basic
AuthName "Access to /yoursite/"
AuthUserFile /xxxxxx/htpasswd
Require user xxxxxx

AuthGroupFile /dev/null

SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI index.php/admin/authentication/sa/login !noauth
#SetEnvIf Request_URI index.php !noauth

  Require env noauth
  Require valid-user

#change to my ip & remove "#" from "deny from all"
ErrorDocument 403
Order deny,allow
#Deny from all
#your ip
Allow from

#Prevent viewing of .htaccess file
<Files .htaccess>
order allow,deny
deny from all

#Prevent directory listings
Options All -Indexes

Issue History

Date Modified Username Field Change
2014-11-25 16:34 htwsaar New Issue
2014-11-26 10:58 DenisChenu Note Added: 31101
2014-11-26 10:59 DenisChenu Note Edited: 31101 View Revisions
2014-11-26 11:00 DenisChenu Note Edited: 31101 View Revisions
2014-11-26 18:02 htwsaar Note Added: 31111
2014-11-26 18:34 DenisChenu Note Added: 31112
2014-11-26 18:54 htwsaar Note Added: 31113
2014-11-26 18:56 htwsaar Note Added: 31114
2014-11-26 19:33 DenisChenu Note Added: 31115
2014-12-04 12:44 htwsaar Note Added: 31164
2014-12-05 17:35 jelo Note Added: 31184
2018-12-03 17:20 Mazi Note Added: 49861
2018-12-04 11:02 htwsaar Note Added: 49873
2018-12-04 11:08 Mazi Note Added: 49874
2018-12-04 11:12 htwsaar Note Added: 49875
2018-12-04 11:56 DenisChenu Note Added: 49876
2018-12-04 14:43 htwsaar Note Added: 49878
2018-12-04 16:03 DenisChenu Note Added: 49880
2020-04-27 18:37 ymca Note Added: 57399
2020-04-27 20:11 Mazi Note Added: 57401
2020-04-27 21:11 ymca Note Added: 57404
2020-05-11 10:04 ymca Note Added: 57659
2020-07-06 14:37 Mazi Note Added: 58722
2020-07-06 16:06 ymca Note Added: 58725