Captive portal manual logout page address
-
Well. Great. You're right.
PC's (tested Windows 7) with a default browsers like IE, Chrome FF or whatever: they will receive the cookie.
The integrated iOS browser used by my iPhone thats pops up when I connect to the wifi portal: It will NOT store the cookie.
Hitting again with the 'real' Safari (the build in App) browser the portal page will let me auth again (I was already authenticated) and this time, the cookie shows up in the (his) cache. I could see it **.
(this is what I was doing all the time, I guess, blaming some cache issue.)
When done that, another visit will show me the logout page - as planned.The 'login' browser isn't the same thing as the App browser ? The login browser doesn't store cookies ?
Anyway: the 'cookie system' isn't perfect for mobile or hand held devices like Androids, iDevices, etc.What now ?
As you already said above: Mixing up MAC/IP and Cookie ?** I changed the cookie set code:
[in /etc/inc/captiveportal.inc - in function captiveportal_reapply_attributes($cpentry, $attributes)]$timeout = 0; if (!empty($config['captiveportal'][$cpzone]['timeout']) && is_numeric($config['captiveportal'][$cpzone]['timeout'])) { $timeout = time() + $config['captiveportal'][$cpzone]['timeout'] * 60; setcookie("cookie_portal", $sessionid, $timeout); } else setcookie("cookie_portal", $sessionid, $timeout);If a hard timeout is set then it's used to set a the cookie expiration time.
http://pastebin.com/jDHVaNwf updated in consequence.
-
Hmm i dont understand the idea behind this… :(
-
Nah in Android i get my login page but its not my browser. When i login it closes right after….so no redirect either.
Im crakcing my head around your new code....but i cant figure out your idea behind setting a timeout in the cookie.
-
The 'login' browser isn't the same thing as the App browser ?
Yes. It's not the same thing. The "browser" (Captive Network Assistant) is a piece of junk…
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116041-solution-apple-osx-00.html
https://support.ruckuswireless.com/answers/000002368 -
Nah in Android i get my login page but its not my browser. When i login it closes right after….so no redirect either.
Im crakcing my head around your new code....but i cant figure out your idea behind setting a timeout in the cookie.
http://php.net/manual/en/function.setcookie.php
Look at this part in the 'expire' condition: " …. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes). "Knowing now that we deal with two browsers, the junk browser [doktornotor
;)] and the real APP afterwards, I thought : what if they DO share their cache ? what if the first closes (as you said) then I could consider this as a 'session close' …. and the cookie would be destroyed.
So I use the hard timeout limit (we set it in minutes, I convert to seconds) , if its present. If none is present, then, well, 'expire' stays '0' - as default.https://support.ruckuswireless.com/answers/000002368 tells a lot about Apple's CNA: it probably doesn't takes the cookie. Other smartphones, other CNA's: same issue.
-
So the Captive Portal Assistant (pseudo browser) shares the cookies with your other browers?
-
So the Captive Portal Assistant (pseudo browser) shares the cookies with your other browers?
Noop. Guess not. See my last message …. I edited.
-
Right, think im gonna switch to the less secure IP/MAC option.
-
So the Captive Portal Assistant (pseudo browser) shares the cookies with your other browers?
No. It's like a crippled "anonymous" browser, no cookies saved, no javascript either AFAICT. The Apple support forums are full of complaints about this nonsense (additionally, it gets gradually worse with every new OS release.
-
GertJan do you have some new links on the pastbin files for your IP/MAC solution?
My already_connected function works…but it seems it can resolv #PORTAL_SESSION#
So I guess I need to add the $htmltext = str_replace("#PORTAL_SESSION#", htmlspecialchars($sessionid), $htmltext);
-
I am not using https CP.
It works on http.
Guide is on de previous page.
https://forum.pfsense.org/index.php?topic=77143.msg478165#msg478165Hi EMWEE,
Thanks for your reply.
I am trying to work this solution on LAN interface, but authentication page is not showing, may be I have settings in Firefox " Do no remember history" I ll change this to normal setting and ll try if it works then…
Regards
amitaussie
-
Does your captive portal works without the modifications?
U should get your AUTHENTICATION page by default. So if that doesnt work your captive portal doesnt work out of the box…or u made a mistake in index.php...what would result in a error in your browser.
Maby post your complete index.php and captiveportal.inc on pastebin and share in it this topic.
-
Hi EMWEE!
Client is not able to connect to internet if CP is active on LAN interface in pfSense and url on client shows this:
http://192.168.100.1:8002/index.php?zone=cpzone1&redirurl=http%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A%2F%2F%2Fhttp%3A
and gives this message in page - The page isn't redirecting properly
If I do not make changes in pfSense, CP page is showing for authentication on LAN and pop up for log out is working ok.
below are the files…
/etc/inc/captiveportal.inc- http://pastebin.com/BUstXyr1
/usr/local/captiveportal/index.php- http://pastebin.com/ffj69qAb
Index.php file is copied from Gertjan's pastebin
File: /usr/local/captiveportal/index.php : http://pastebin.com/scYuKTyw - index.php
Thanks and Regards
amitaussie
-
Do you have a html file with the name "zone"-already-connected.html? (ex. Wifi-already-connected.html)
If your users have a cookie they are redirected to that page.
-
Hi EMWEE!
Yes I have uploaded that file in CP using File Manager. File I uploaded is copied from Gertjan's pastebin
I am using default setting of browsers i.e. firefox. Browser is configure to remember history and accept cookies.
I do not understand how to users have cookie
If your users have a cookie they are redirected to that page.
Thanks & Regards
amitaussie
-
He (amitaussie) PM'ed me with this:
CP Tab: file Manager status:captiveportal-cpzone1-already-connected.html 984 bytes delete captiveportal-style.css 2 KB delete TOTAL 3 KBseems good to me.
I'm put in place his
/etc/inc/captiveportal.inc- http://pastebin.com/BUstXyr1
/usr/local/captiveportal/index.php- http://pastebin.com/ffj69qAbon my pfsense - and report back.
edit.
Ok, found something - your /usr/local/captiveportal/index.php is nearly ok.
This : http://pastebin.com/ffj69qAb when I upload it to my server, produces a file coded in "UNIX - UTF 8 w/o BOM".
Should be "UNIX ANSI."Your http://pastebin.com/ffj69qAb does not popup the portal page for me.
I rebuild http://pastebin.com/scYuKTyw - /usr/local/captiveportal/index.php - entire file - version 2015-02-06 : I took an original "index.php from https://github.com/pfsense/pfsense/blob/RELENG_2_2/usr/local/captiveportal/index.php [ PfSense 2.2 Release ] - added my 2 mods - tested on my pfSense and stored on pastbin.org :: http://pastebin.com/scYuKTyw ]Btw: I found out that when coping back the files from pastebin.org to my text editor it converted ther char encoding "UNIX UTF w/o BOM" (there are some nasty non-pure ASCI chars in the file).
Saving the file (example: index.php) in this format will 'explode' the pfSense web server.
ALWAYS check you code page : often this info is visible at the bottom of your text editor (Notepad++, or far better : UltraEdit) -
Hi Gertjan!
Thank you very much for your effort.
I ll check it tomorrow and revert back.
Thanks & Regards
amitaussie
-
So today i had some free time on the box to test the IP/MAC solution and i cant get it to work. When i revisit the portal page i do get the "already_connected.html" page. But when i press my logout button nothing happends. They only diffrent i can spot is that it doesnt show my #PORTAL_SESSION# string. So i guess thats why i cant logout.
Here is my code:
#function already_connected($clientip, $clientmac) { global $cpzone; if (($clientip != "") && ($clientmac != "")) { $query = "WHERE ip = '{$clientip}' AND mac = '{$clientmac}'"; $cpdb = captiveportal_read_db($query); /* Lookup the $sessionid */ foreach ($cpdb as $cpentry) { if (($cpentry[2] == $clientip) && ($cpentry[3] == $clientmac)) return $cpentry[5]; } return false; } else return false; }So this part works…since i get redirected to the already_connected page.
function portal_reply_page($redirurl, $type = null, $message = null, $clientmac = null, $clientip = null, $username = null, $password = null) { global $g, $config, $cpzone; /* Get captive portal layout */ if ($type == "redir") { header("Location: {$redirurl}"); return; } else if ($type == "login") $htmltext = get_include_contents("{$g['varetc_path']}/captiveportal_{$cpzone}.html"); else if ($type == "already_connected") { # $sessionid = $_COOKIE['cookie_portal']; $htmltext = get_include_contents("{$g['captiveportal_path']}/captiveportal-{$cpzone}-already-connected.html"); $htmltext = str_replace("\$PORTAL_SESSION\$", htmlspecialchars($sessionid), $htmltext); $htmltext = str_replace("#PORTAL_SESSION#", htmlspecialchars($sessionid), $htmltext);I guess here is something wrong with the str_replace…but i cant figure it out.
I have this on bottom of index.php
else if (already_connected($clientip, $clientmac)) { /* display already connected page */ portal_reply_page($redirurl, "already_connected",null,$clientmac,$clientip);This looks fine by me since i do get redirected.
And finally, the main part of my zone-already-connected.html:
<form method="post" ="" action="#PORTAL_ACTION#"> <a>IP:</a> <a_curs>#CLIENT_IP#</a_curs> <a>MAC:</a> <a_curs>#CLIENT_MAC#</a_curs> <a>Session:</a> <a_curs>#PORTAL_SESSION#</a_curs> </form>So i dont see any session ID after Session. When i use cookies this works fine. Does this have anything do to with RADIUS (im using RADIUS).
Or am i missing some part where i need to set sessionid as cpentry[5] in the portal_reply_function?
Something like this:
else if ($type == "already_connected") $sessionid = $cpentry[5]; $htmltext = get_include_contents("{$g['captiveportal_path']}/captiveportal-{$cpzone}-already-connected.html"); $htmltext = str_replace("\$PORTAL_SESSION\$", htmlspecialchars($sessionid), $htmltext); $htmltext = str_replace("#PORTAL_SESSION#", htmlspecialchars($sessionid), $htmltext); -
Ok, I understand why you return " $cpentry[5];" in stead of "true":
function already_connected($clientip, $clientmac) { global $cpzone; if (($clientip != "") && ($clientmac != "")) { $query = "WHERE ip = '{$clientip}' AND mac = '{$clientmac}'"; $cpdb = captiveportal_read_db($query); foreach ($cpdb as $cpentry) { if (($cpentry[2] == $clientip) && ($cpentry[3] == $clientmac)) return $cpentry[5]; } } return false; }But, here:
.... else if ($type == "already_connected") $sessionid = $cpentry[5]; ...Danger : (in function portal_reply_page) : "$cpentry[5]" is unknown there, so it is an empty string == "" == nothing.
Just look it up, by now you know for sure it exists:
..... else if ($type == "already_connected") $sessionid = already_connected($clientip, $clientmac); .....After that, you don't have to do this:
.... $htmltext = str_replace("\$PORTAL_SESSION\$", htmlspecialchars($sessionid), $htmltext); $htmltext = str_replace("#PORTAL_SESSION#", htmlspecialchars($sessionid), $htmltext); ....Because its done a couple of line farther along already.
Check out http://pastebin.com/piamkhNB - line 35 and 45 :D
-
Thanks again for ur fast reply GertJan :D.
No wonder that i didnt see a sessionsid when the string was empty. I didnt know it would be unknown at that function.
So ur solution would fix that problem. Thanks again!
