Check out the LimeSurvey source code on GitHub!

Bypassing the authentication of Lime Survey

More
3 years 11 months ago #92973 by JVG
Hi,

We are developing an app based on CI and integrating it with lime survey.
The requirement is that when admin logs in into our app and clicks onto the survey link he should be redirected to the admin panel. But the problem we are facing is bypassing the limesurvey authentication.

We have tried with delegating authentication to webserver but we are unable to do so. I've gone through the instructions of optional seetings and implemented it too..But it throws an error with invalid username/password when authWebServer is set to true..i am unable to track the problem or is there something to do with enabling authentication at the web server?

So we request you to suggest a wayout for this.

Please Log in to join the conversation.

More
3 years 11 months ago #92976 by Ben_V
You can copy the login form in an external file, setting user & password default values.
Use JQuery for submit button emulation.

To help you to find a way, I attach 2 html samples (depend on your LS version):
Just adapt:
YOURDOMAIN
USERNAME
PASSWORD

No need to upload; can work from your desktop if the 'action' url value is correct...

If you have to use some differents sets admin+password, just change it for php file and set variables.

File Attachment:

File Name: skip_auth.zip
File Size:3 KB

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
Attachments:
The following user(s) said Thank You: JVG

Please Log in to join the conversation.

More
3 years 11 months ago #92978 by DenisChenu

JVG wrote: We have tried with delegating authentication to webserver but we are unable to do so. I've gone through the instructions of optional seetings and implemented it too..But it throws an error with invalid username/password when authWebServer is set to true..i am unable to track the problem or is there something to do with enabling authentication at the web server?

What is your version ?

There are some patch for authWebServer in the last version.

Denis

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).

Please Log in to join the conversation.

More
3 years 11 months ago #92980 by JVG
I am using 2.0 version. Can u please attach the link for the patch. Does it bypass LimeSurvey authentication?

Please Log in to join the conversation.

More
3 years 11 months ago #92981 by DenisChenu

JVG wrote: I am using 2.0 version.

Buils number ?

Can u please attach the link for the patch. Does it bypass LimeSurvey authentication?

LS oficial core last build number : github.com/LimeSurvey/LimeSurvey

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).

Please Log in to join the conversation.

More
3 years 11 months ago #92983 by JVG
I am using LS with build number is 130206.Will my problem be solved if i replace it with above build?

Please Log in to join the conversation.

More
3 years 11 months ago #92995 by JVG
I tried installing the latest build that you suggested but still there is a problem. What I need is when I login through my app and when I click on the link 'Add survey' it should bypass LimeSurvey authentication and show me the admin panel directly.

I installed the new build and reset the authWebserver variable to 'true' and edited the admin name from 'lime_users' table to the same name as is in my app login for admin. When I was done with al these changes and clicked on link 'Add survey' it redirects to this page
http://localhost/LimeSurvey-master/index.php/admin/authentication/sa/login with error Invalid username/password

Please help me through this.

Thank you

Please Log in to join the conversation.

More
3 years 11 months ago #93007 by DenisChenu
Never used autWebServer,

Can you set debug to 2 and fill a bug report ?

Denis
www.limesurvey.org/en/community-services/bug-tracker

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).

Please Log in to join the conversation.

More
3 years 11 months ago #93009 by JVG
I didnt get u? what is debug to 2?

Yes, will fill a bug report

Thank You.

Please Log in to join the conversation.

More
3 years 11 months ago - 3 years 11 months ago #93020 by JVG
Ben_V Wrote:
To help you to find a way, I attach 2 html samples (depend on your LS version):
Just adapt:
YOURDOMAIN
USERNAME
PASSWORD



Thank You so much. I tried with the script and its working!!! :)
Last Edit: 3 years 11 months ago by JVG. Reason: forgot to add few lines

Please Log in to join the conversation.

More
3 years 11 months ago #93024 by Ben_V
Yes it's working and could be ok with some extra (php) security settings (avoiding the direct call of the page, etc.)

This said, if LS new releases provide such kind of feature (cf. authWebserver), I think it will always be much better and secure to use it... So, it will be really helpful if you can go further this way, reporting your experience and encountered bugs; I'm pretty sure that you'll get everything working very soon ;)

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)

Please Log in to join the conversation.

More
6 months 2 weeks ago #139830 by carl05
I have LS running on a secure server, 2.50 - and this solution throws a 500 server error. I wonder, Ben, if there's something else going on based upon the version? What is the best solution do you think, in this case?

Please Log in to join the conversation.

More
6 months 2 weeks ago #139837 by Ben_V
Hi,
The workaround provided above is outdated and probably fully incompatible with new releases (including 2.06 )...

I think the only ways to go are now:
- using LimeSurvey RC2 api
- changing some standard config. in config-default.php to switch to server authentication mode:
https://github.com/LimeSurvey/LimeSurvey/blob/master/application/config/config-defaults.php#L154

Benoît

EM Variables => bit.ly/1TKQyNu | EM Roadmap => bit.ly/1UTrOB4
Last Releases => 2.6x.x goo.gl/ztWfIV | 2.06/2.6.x => bit.ly/1Qv44A1
Demo Surveys => goo.gl/HuR6Xe (already included in /docs/demosurveys)
The following user(s) said Thank You: carl05

Please Log in to join the conversation.

More
6 months 2 weeks ago #139858 by carl05
Really appreciate the advice.

I think another way might be to use AuthWPbyDB - which is pretty similar in many ways. But in trying to hack the AuthWPbyDB code to pass through HTTP headers, I've found some aspects tricky. I'm a bit stuck with this:

if($this->addWpDb()){
$this->getEvent()->getContent($this)
->addContent(CHtml::tag($tag, array(), "<label for='user'>" . gT("Username") . "</label><input name='user' id='user' type='text' size='40' maxlength='40' value='' />"))
->addContent(CHtml::tag($tag, array(), "<label for='password'>" . gT("Password") . "</label><input name='password' id='password' type='password' size='40' maxlength='40' value='' />"));
}else{// No login form if unable to access to Wp DB


I'd like value to autopopulate the fields with my HTTP header variables, so people can just click once - but I don't know how to approach this syntax to pass through a value. The other way is just to strip out the login functionality altogether, but that might be an issue for superadmins. Ben, or anyone, if you can dig me out of this, it would be amazing!
The following user(s) said Thank You: Ben_V

Please Log in to join the conversation.

More
6 months 2 weeks ago #139864 by carl05
Sorry, re question above, got it fixed. thanks again

Please Log in to join the conversation.

Imprint                   Privacy policy         General Terms & Conditions         Revocation information and revocation form