Captive portal manual logout page address

Gertjan

I'll give it a try to 'backport' all this to pfSense 2.2 Release.
I'm pretty sure its possible.

EMWEE

Got it working on 2.2. Just do the same thing :)

Gertjan

@EMWEE:

Got it working on 2.2. Just do the same thing :)

Yep. You're right. Works for me on 2.2 now.
I'll have to do some checking the next severals days - have 'verbose portal logging' activate to see how it goes.

amitaussie

Hi there,

I am not able to get it working after days effort. I am not using https CP.

Can anyone please write a step by step guide to make this working.

Thanks

Regards

amitaussie

Gertjan

I never tried it without https login.

Like: "why do it the easy way, if the difficult way is available ?"  :)
https need valid signed certificates by a know authority, I just followed "PFsense 2.1 MultiCP and https with Windows Radius Guide" (in this forum) and …. it worked - costs me some time and zero € or $ **.

I'll test the plain http tomorrow morning (can't test my portal on distance  >:( )

**) but you need to have a valid, existing domain name on the internet, which, of course, costs some € or $ a year ......

Btw: Here are my portal stats (all stats are pfSense internals) http://www.test-domaine.fr/munin/brit-hotel-fumel.net/pfsense.brit-hotel-fumel.net/index.html#portalusers

EMWEE

@amitaussie:

I am not using https CP.

It works on http.

Guide is on de previous page.
https://forum.pfsense.org/index.php?topic=77143.msg478165#msg478165

Gertjan

@EMWEE:

@amitaussie:

I am not using https CP.

It works on http.

Guide is on de previous page.

Thanks for the info  :)

EMWEE

Think im gonna try the less secure IP/MAC solution.

I use it in a enviroment with BYOD en slot of Androids/IPhone dont lauch there browser but login via the OS. So the cookie is not stored.

Gertjan

@EMWEE:

I use it in a enviroment with BYOD en slot of Androids/IPhone dont lauch there browser but login via the OS. So the cookie is not stored.

"So the cookie is not stored" ??
I tested all this with one device : an iPhone 4S (iOS 8x). I know my iPhone stores the cookie, because I get the logout-page.
This page can pop up if the cookie is found and the cookie info contains a current logged-in session ID.

I presume all iDevice (iPhone, iPad, etc) and other smartphones, all PC's, that is,  the actual clients on our wifi network) are logging in because a browser pops up …. we rarely explain that at the reception (of our hotel).
I NEVER touch or control devices of our clients (the BYOD owners) - some times I know they have 'static IP's ( well .....  ;D) or 'firewalls that block everything except their 'own' home network (well ......  ;D).

EMWEE

Well i have tested it on different phones. Soms phones open the browser to login. ATM im running Android 5.0.2 and it opens up a captive portal login from Android it self…nog a browser.

A collegue of mine tested it on his iphone while using the system login and not his browser and had the same problem...no cookie.

So here is a screen from my Android 5.0.2.

Check the icon on the left. If i click on that system message it doesnt load a browser.

Ill make more screens tomorrow.

EMWEE

@Gertjan:

@EMWEE:

I use it in a enviroment with BYOD en slot of Androids/IPhone dont lauch there browser but login via the OS. So the cookie is not stored.

I NEVER touch or control devices of our clients (the BYOD owners)

Maby not everyone is using the logout option.

Gertjan

Well. Great. You're right.

PC's (tested Windows 7) with a default browsers like IE, Chrome FF or whatever: they will receive the cookie.

The integrated iOS browser used by my iPhone thats pops up when I connect to the wifi portal: It will NOT store the cookie.
Hitting again with the 'real' Safari (the build in App) browser the portal page will let me auth again (I was already authenticated) and this time, the cookie shows up in the (his) cache. I could see it **.
(this is what I was doing all the time, I guess, blaming some cache issue.)
When done that, another visit will show me the logout page - as planned.

The 'login' browser isn't the same thing as the App browser ? The login browser doesn't store cookies ?
Anyway: the 'cookie system' isn't perfect for mobile or hand held devices like Androids, iDevices, etc.

What now ?
As you already said above: Mixing up MAC/IP and Cookie ?

** I changed the cookie set code:
[in /etc/inc/captiveportal.inc - in function captiveportal_reapply_attributes($cpentry, $attributes)]

	$timeout = 0;
	if (!empty($config['captiveportal'][$cpzone]['timeout']) && is_numeric($config['captiveportal'][$cpzone]['timeout'])) {
		$timeout = time() + $config['captiveportal'][$cpzone]['timeout'] * 60;
		setcookie("cookie_portal", $sessionid, $timeout);
	} else
		setcookie("cookie_portal", $sessionid, $timeout);

If a hard timeout is set then it's used to set a the cookie expiration time.

http://pastebin.com/jDHVaNwf updated in consequence.

EMWEE

Hmm i dont understand the idea behind this… :(

EMWEE

Nah in Android i get my login page but its not my browser. When i login it closes right after….so no redirect either.

Im crakcing my head around your new code....but i cant figure out your idea behind setting a timeout in the cookie.

doktornotor

@Gertjan:

The 'login' browser isn't the same thing as the App browser ?

Yes. It's not the same thing. The "browser" (Captive Network Assistant) is a piece of junk…

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116041-solution-apple-osx-00.html
https://support.ruckuswireless.com/answers/000002368

Gertjan

@EMWEE:

Nah in Android i get my login page but its not my browser. When i login it closes right after….so no redirect either.

Im crakcing my head around your new code....but i cant figure out your idea behind setting a timeout in the cookie.

http://php.net/manual/en/function.setcookie.php
Look at this part in the 'expire' condition: " …. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes). "

Knowing now that we deal with two browsers, the junk browser [doktornotor  ;)] and the real APP afterwards, I thought : what if they DO share their cache ? what if the first closes (as you said) then I could consider this as a 'session close' …. and the cookie would be destroyed.
So I use the hard timeout limit (we set it in minutes, I convert to seconds) , if its present. If none is present, then, well, 'expire' stays '0' - as default.

https://support.ruckuswireless.com/answers/000002368 tells a lot about Apple's CNA: it probably doesn't takes the cookie. Other smartphones, other CNA's: same issue.

EMWEE

So the Captive Portal Assistant (pseudo browser) shares the cookies with your other browers?

Gertjan

@EMWEE:

So the Captive Portal Assistant (pseudo browser) shares the cookies with your other browers?

Noop. Guess not. See my last message …. I edited.

EMWEE

Right, think im gonna switch to the less secure IP/MAC option.

doktornotor

@EMWEE:

So the Captive Portal Assistant (pseudo browser) shares the cookies with your other browers?

No. It's like a crippled "anonymous" browser, no cookies saved, no javascript either AFAICT. The Apple support forums are full of complaints about this nonsense (additionally, it gets gradually worse with every new OS release.