Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

LS 2.50+ Authwebserver: redirect loop for non-SuperAdmins

  • hermann
  • hermann's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
7 years 10 months ago #136358 by hermann
I am upgrading from a LS 2.00+ installation where I have webserver-authentication enabled. I want to stick with that and so I enabled the "Core: Webserver authentication" plugin in Plugin-Manager.
My Apache is configured to ask for credentials (Basic-Auth over HTTPS) when the URI contains ".../admin" so REMOTE_USER gets set with the username. That username does exist in the interal user-db of LS as well.
I would expect to just get logged in, but what I see is a redirect loop for any user that is not a SuperAdmin:
the response to GET .../admin is a
redirect to .../index.php/admin/authentication/sa/login which in turn returns a
redirect to .../index.php/admin/authentication/sa/login asf. until the browser stops looping.

Am I missing something?
What can I do to debug this problem?
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
7 years 9 months ago #136377 by DenisChenu
Hi,

I think we fixed this in 2.06. But this must be reported on our bugtracker.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • hermann
  • hermann's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
7 years 9 months ago #136389 by hermann
Hi DenisChenu,

thanks for you answer.
I can open a bug. Before I do that I want to share some new findings:
I can make the Webserver authentication work for non-SuperAdmins when as such a SuperAdmin I edit the user permissions (.../admin/user/sa/setuserpermissions) and check the box for "Use web server authentication" for each user individually. Having 173 users I plan to do that in the DB with an "insert into permissions" -query.
Is this the intended way to go?
But what's the intended behaviour of the "make default authentication method" check-box in the plugin-settings then?

There are some more problems I am having with this plugin:
* When I try to "Logout" I stay logged in. This is a known problem with HTTP-Authentication so I can live with that. But shouldn't the Plugin show a message about this or disable the "Logout" link or whatever?
* When for whatever reason someone has failed login attempts the plugin does not handle this correctly: The only thing you get in this case is the redirect loop (leading to 10 to 60 more failed login attempts). No warning message.
Can you shed some light on these or may I create bugs/issues in the bugtracker?

Greetings
Hermann
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose