- Posts: 3
- Thank you received: 0
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
LS 2.50+ Authwebserver: redirect loop for non-SuperAdmins
- hermann
- Topic Author
- Offline
- New Member
Less
More
7 years 10 months ago #136358
by hermann
LS 2.50+ Authwebserver: redirect loop for non-SuperAdmins was created by hermann
I am upgrading from a LS 2.00+ installation where I have webserver-authentication enabled. I want to stick with that and so I enabled the "Core: Webserver authentication" plugin in Plugin-Manager.
My Apache is configured to ask for credentials (Basic-Auth over HTTPS) when the URI contains ".../admin" so REMOTE_USER gets set with the username. That username does exist in the interal user-db of LS as well.
I would expect to just get logged in, but what I see is a redirect loop for any user that is not a SuperAdmin:
the response to GET .../admin is a
redirect to .../index.php/admin/authentication/sa/login which in turn returns a
redirect to .../index.php/admin/authentication/sa/login asf. until the browser stops looping.
Am I missing something?
What can I do to debug this problem?
My Apache is configured to ask for credentials (Basic-Auth over HTTPS) when the URI contains ".../admin" so REMOTE_USER gets set with the username. That username does exist in the interal user-db of LS as well.
I would expect to just get logged in, but what I see is a redirect loop for any user that is not a SuperAdmin:
the response to GET .../admin is a
redirect to .../index.php/admin/authentication/sa/login which in turn returns a
redirect to .../index.php/admin/authentication/sa/login asf. until the browser stops looping.
Am I missing something?
What can I do to debug this problem?
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13907
- Thank you received: 2546
7 years 9 months ago #136377
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic LS 2.50+ Authwebserver: redirect loop for non-SuperAdmins
Hi,
I think we fixed this in 2.06. But this must be reported on our bugtracker.
I think we fixed this in 2.06. But this must be reported on our bugtracker.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- hermann
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
7 years 9 months ago #136389
by hermann
Replied by hermann on topic LS 2.50+ Authwebserver: redirect loop for non-SuperAdmins
Hi DenisChenu,
thanks for you answer.
I can open a bug. Before I do that I want to share some new findings:
I can make the Webserver authentication work for non-SuperAdmins when as such a SuperAdmin I edit the user permissions (.../admin/user/sa/setuserpermissions) and check the box for "Use web server authentication" for each user individually. Having 173 users I plan to do that in the DB with an "insert into permissions" -query.
Is this the intended way to go?
But what's the intended behaviour of the "make default authentication method" check-box in the plugin-settings then?
There are some more problems I am having with this plugin:
* When I try to "Logout" I stay logged in. This is a known problem with HTTP-Authentication so I can live with that. But shouldn't the Plugin show a message about this or disable the "Logout" link or whatever?
* When for whatever reason someone has failed login attempts the plugin does not handle this correctly: The only thing you get in this case is the redirect loop (leading to 10 to 60 more failed login attempts). No warning message.
Can you shed some light on these or may I create bugs/issues in the bugtracker?
Greetings
Hermann
thanks for you answer.
I can open a bug. Before I do that I want to share some new findings:
I can make the Webserver authentication work for non-SuperAdmins when as such a SuperAdmin I edit the user permissions (.../admin/user/sa/setuserpermissions) and check the box for "Use web server authentication" for each user individually. Having 173 users I plan to do that in the DB with an "insert into permissions" -query.
Is this the intended way to go?
But what's the intended behaviour of the "make default authentication method" check-box in the plugin-settings then?
There are some more problems I am having with this plugin:
* When I try to "Logout" I stay logged in. This is a known problem with HTTP-Authentication so I can live with that. But shouldn't the Plugin show a message about this or disable the "Logout" link or whatever?
* When for whatever reason someone has failed login attempts the plugin does not handle this correctly: The only thing you get in this case is the redirect loop (leading to 10 to 60 more failed login attempts). No warning message.
Can you shed some light on these or may I create bugs/issues in the bugtracker?
Greetings
Hermann
The topic has been locked.