diff --git a/lemonldap-ng-portal/MANIFEST b/lemonldap-ng-portal/MANIFEST
index 0dab03240..718bef16d 100644
--- a/lemonldap-ng-portal/MANIFEST
+++ b/lemonldap-ng-portal/MANIFEST
@@ -700,6 +700,7 @@ t/62-UpgradeSession.t
 t/63-History.t
 t/64-StayConnected-with-2F-and-History.t
 t/64-StayConnected-with-History.t
+t/64-StayConnected-with-rule.t
 t/64-StayConnected-without-fingerprint-checking.t
 t/65-AutoSignin.t
 t/65-CheckState.t
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
index 6d64346a0..dab658183 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
@@ -247,11 +247,9 @@ sub display {
             LANGS     => $self->conf->{showLanguages},
             AUTH_USER => $req->{sessionInfo}->{ $self->conf->{portalUserAttr} },
             NEWWINDOW => $self->conf->{portalOpenLinkInNewWindow},
-            LOGOUT_URL     => $self->conf->{portal} . "?logout=1",
-            APPSLIST_ORDER => $req->{sessionInfo}->{'_appsListOrder'},
-            PING           => $self->conf->{portalPingInterval},
-            REQUIRE_OLDPASSWORD =>
-              $self->requireOldPwd->( $req, $req->userData ),
+            LOGOUT_URL          => $self->conf->{portal} . "?logout=1",
+            APPSLIST_ORDER      => $req->{sessionInfo}->{'_appsListOrder'},
+            PING                => $self->conf->{portalPingInterval},
             DONT_STORE_PASSWORD => $self->conf->{browsersDontStorePassword},
             HIDE_OLDPASSWORD    => 0,
             PPOLICY_NOPOLICY    => !$self->isPP(),
@@ -261,6 +259,11 @@ sub display {
             PPOLICY_MINUPPER    => $self->conf->{passwordPolicyMinUpper},
             PPOLICY_MINDIGIT    => $self->conf->{passwordPolicyMinDigit},
             PPOLICY_MINSPECHAR  => $self->conf->{passwordPolicyMinSpeChar},
+            (
+                $self->requireOldPwd->( $req, $req->userData )
+                ? ( REQUIRE_OLDPASSWORD => 1 )
+                : ()
+            ),
             (
                 $self->conf->{passwordPolicyMinSpeChar} || $self->speChars()
                 ? ( PPOLICY_ALLOWEDSPECHAR => $self->speChars() )
@@ -398,16 +401,20 @@ sub display {
             MAIL_URL       => $self->conf->{mailUrl},
             REGISTER_URL   => $self->conf->{registerUrl},
             HIDDEN_INPUTS  => $self->buildHiddenForm($req),
-            STAYCONNECTED  => $self->stayConnected->( $req, $req->sessionInfo ),
             IMPERSONATION  => $self->conf->{impersonationRule}
               || $self->conf->{proxyAuthServiceImpersonation},
+            ENABLE_PASSWORD_DISPLAY =>
+              $self->conf->{portalEnablePasswordDisplay},
+            (
+                $self->stayConnected->( $req, $req->sessionInfo )
+                ? ( STAYCONNECTED => 1 )
+                : ()
+            ),
             (
                 $req->data->{customScript}
                 ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
                 : ()
             ),
-            ENABLE_PASSWORD_DISPLAY =>
-              $self->conf->{portalEnablePasswordDisplay},
         );
 
         # External links
diff --git a/lemonldap-ng-portal/t/64-StayConnected-with-History.t b/lemonldap-ng-portal/t/64-StayConnected-with-History.t
index 0327b6552..03932e267 100644
--- a/lemonldap-ng-portal/t/64-StayConnected-with-History.t
+++ b/lemonldap-ng-portal/t/64-StayConnected-with-History.t
@@ -10,7 +10,7 @@ my $client = LLNG::Manager::Test->new( {
         ini => {
             logLevel                => 'error',
             useSafeJail             => 1,
-            stayConnected           => 1,
+            stayConnected           => '$env->{REMOTE_ADDR} eq "127.0.0.1"',
             loginHistoryEnabled     => 1,
             securedCookie           => 1,
             stayConnectedTimeout    => 1000,
diff --git a/lemonldap-ng-portal/t/64-StayConnected-with-rule.t b/lemonldap-ng-portal/t/64-StayConnected-with-rule.t
new file mode 100644
index 000000000..267724d8b
--- /dev/null
+++ b/lemonldap-ng-portal/t/64-StayConnected-with-rule.t
@@ -0,0 +1,64 @@
+use Test::More;
+use strict;
+use IO::String;
+
+require 't/test-lib.pm';
+
+my $res;
+my $client = LLNG::Manager::Test->new( {
+        ini => {
+            logLevel      => 'error',
+            useSafeJail   => 1,
+            requireToken  => 1,
+            stayConnected => '$env->{REMOTE_ADDR} =~ /^127\.0\.0/'
+        }
+    }
+);
+ok( $res = $client->_get( '/', accept => 'text/html' ), 'Firt access' );
+my ( $host, $url, $query ) =
+  expectForm( $res, undef, undef, 'user', 'password', 'stayconnected',
+    'checkLogins', 'token' );
+ok( $res = $client->_get( '/', ip => '10.10.10.10', accept => 'text/html' ),
+    'Access from external LAN' );
+( $host, $url, $query ) =
+  expectForm( $res, undef, undef, 'user', 'password', 'checkLogins', 'token' );
+count(2);
+
+$query =~ s/user=/user=dwho/;
+$query =~ s/password=/password=dwho/;
+
+# Try to authenticate
+# -------------------
+ok(
+    $res = $client->_post(
+        '/',
+        IO::String->new($query),
+        ip     => '10.10.10.10',
+        accept => 'text/html',
+        length => length($query)
+    ),
+    'Auth query'
+);
+count(1);
+my $id = expectCookie($res);
+expectRedirection( $res, 'http://auth.example.com/' );
+
+# Try to push fingerprint
+$query =~ s/fg=/fg=aaa/;
+ok(
+    $res = $client->_post(
+        '/registerbrowser',
+        IO::String->new($query),
+        length => length($query),
+        cookie => "lemonldap=$id",
+        accept => 'text/html',
+    ),
+    'Post fingerprint'
+);
+count(1);
+expectRedirection( $res, 'http://auth.example.com/' );
+
+$client->logout($id);
+clean_sessions();
+done_testing( count() );
+