Captive portal manual logout page address
-
I am browsing internet after log in via CP login page, I want to log out, I recall log out page 192.168.100.1:8002, it comes, but if I close the browser without logging out and later on when I try to log out by recalling log out page, I am redirected to CP Login page and after entering credentials then only I am redirected to log out page.
This is by design ;)
I already talked about setcookie() and how the browser handles cookies.
Read again: http://php.net/manual/en/function.setcookie.php
And this time, see what the THIRD parameter does: expire.Remember :
setcookie("cookie_portal", $sessionid);is the same thing as
setcookie("cookie_portal", $sessionid, 0);What you described in your question:
The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. In other words, you'll most likely set this with the time() function plus the number of seconds before you want it to expire. Or you might use mktime(). time()+606024*30 will set the cookie to expire in 30 days. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).
So => closing browser == cookie destroyed == no more log out page.
This means you have to walk through the login again to get a cookie to be able to logout.
Exactly as you found out.A solution might:
setcookie("cookie_portal", $sessionid, time()+strtotime("+1 day"));This cookie will be persistent for one day.
-
Hi Gertjan!
This solution is perfect now, I hope! working great in 2.2!
setcookie("cookie_portal", $sessionid, time()+strtotime("+1 day"));
For one day it is ok.
Testing it further to see if there's anything to improve (hopefully nothing :))Thanks & Regards
-
….
Testing it further to see if there's anything to improve (hopefully nothing :))Ok, good.
I conclude that you do not use any smartphones like Androids en iDevices (iPhone, iPads) on your portal network ?
Because they use CNA 'navigator' which will discard the cookie on login …..
This means that, as you said already, people have to re-login with their 'real' browser to get a cookie - to be able to log out .... -
Hi!
Well…
People do use smartphones to browse internet in my network. So you mean to say they won't be able to access log out page...oh! ok. If it can be solved then its great! Otherwise not a big issue as everyone uses his own smartphone etc. and if they are not served a log out page.
Thanks & Regards!
-
So you mean to say they won't be able to access log out page…oh! ok. If it can be solved then its great! Otherwise not a big issue as everyone uses his own smartphone etc. and if they are not served a log out page.
No, no, no… you misunderstood that issue. They will be logged out as soon as they've logged in via the crippled CNA "browser". They need to use their real browser to log in if they want to continue browsing.
-
Hi!
oh ! Is this CNA browser feature offered by Apple IOS only ? As I have checked with my Samsung mobile, i am offered my CP login page and after log in, I am able to browse and recall log out page. Its working in Samsung mobile.
Do i have to install any other browser in Apple devices to bypass this CNA feature, like chrome etc.?
Thanks & Regards!
amitaussie
-
Do i have to install any other browser in Apple devices to bypass this CNA feature, like chrome etc.?
Will not help. The only way to avoid this junk is to avoid CP detection altogether.
-
No, no, no… you misunderstood that issue. They will be logged out as soon as they've logged in via the crippled CNA "browser". They need to use their real browser to log in if they want to continue browsing.
When i login via CNA everything works fine. I just use the less secure IP/MAC solution.
-
I just use the less secure IP/MAC solution.
Yeah, so what exactly does this have to do with the manual logout page?
-
No, no, no… you misunderstood that issue. They will be logged out as soon as they've logged in via the crippled CNA "browser". They need to use their real browser to log in if they want to continue browsing.
They won't be logout…they r just not getting the cookie (or am I missing something). So I use the IP/MACso users can use CNA or browser.
-
This entire thread has been discussing how to log out people by using a cookie. So yeah, you can use CNA just fine if you not using logout, just don't get why are you discussing this on a CP manual logout thread…
-
This entire thread has been discussing how to log out people by using a cookie. So yeah, you can use CNA just fine if you not using logout, just don't get why are you discussing this on a CP manual logout thread…
No its not. It been discussed using IP/MAC too at the first page..and this does work with CNA. Im just stating this since the cookie solution is troublesome for phones/tablets.
-
doktornotor, you joined in with the "cookie issue with CNA" which, by the way, destroyed half the fun, not because it was true but because I thought it was working good, or all prove was there that it wasn't ;) CNA f*cked that up.
It was lsense, who told use that he uses cookies https://forum.pfsense.org/index.php?topic=77143.msg421812#msg421812
I wasn't doing so, before. I used a lookup with IP and MAC which I found secure enough because my portal uses https. (But, for some reason, it seems to me that most of us don't)Anyway, who cares :D
Maybe I should write-up a cookie+(MAC/IP) …. but what I realy need it the answer to his first:
https://forum.pfsense.org/index.php?topic=77143.msg478165#msg478165
Last "Btw":
@lsense:modify capture of 1.1.1.1 in ipfw : it gets always redirected, even if authenticated
"Could you detail this please ? What is de ipfw rule ? Injected where ?"
(Ok, I know where, but what ipfw rule ? I'm an iptables man)I'd like to know how to make a short simple easy-to-remember logout URL, like "logme.out" or even "logout" that get redirected to the captive portal web server.
Any ideas ?Byw: It's easy to circumvent the CNA login culprit.
Just connect to the Wifi network.
The CNA pops up.
Shut it down ! (iDevice: hit de home button).
Open the real browser, like Safari or whatever you have on your iDevice.
Login.
The cookie will be there.
Tested and works every time on an iDevice. -
I use a NAT rule: IP of CP port 80 redirect to 8002.
And a DNS record: logout.me with ip of the CP.
I bet Isense redirect 1.1.1.1 to CP IP:800x
-
Hi!
Its working for last more than 24 hours, squid3+transparent proxy+ SSL bump+ squidguard + CP Logout page, no glitches, restarted, everything is working flawless, checked on pcs and mobiles. Everything seems Ok! ;D
Thanks & Regards!
amitaussie
-
Hi! All
I have the same problem
I want to logout manual
Please help me step by step.Thank
-
See the first pagr on this topic.
-
thank you …
-
Last "Btw":
@lsense:modify capture of 1.1.1.1 in ipfw : it gets always redirected, even if authenticated
"Could you detail this please ? What is de ipfw rule ? Injected where ?"
(Ok, I know where, but what ipfw rule ? I'm an iptables man)sorry for the timed out reply, I report it here just for reference.
search for the comment "Authenticated users rules" in /etc/inc/captiveportal.inc and put those two lines in:/* Authenticated users rules. */ $cprules .= "add {$rulenum} fwd 127.0.0.1,{$listenporthttp} tcp from any to 1.1.1.1 in\n"; $rulenum++; $cprules .= "add {$rulenum} pipe tablearg ip from table(1) to any in\n"; $rulenum++; $cprules .= "add {$rulenum} pipe tablearg ip from any to table(2) out\n"; $rulenum++; -
@Gertjan
The cookie solution has another disadvantage. If user uses more than one browser in the same session he could logout only with the original login browser. The other one doesn't know the cookie. For me a IP/MAC solution is secure enough. Spoofing the HTTP REMOTE_ADDR is not that easy. You need a proxy server for this. And what is the risk? The effort is high for what? Log-out another user from your hotel network.Working with IP address has another advantage. I use "daloradius" to manage my radius database. In daloradius is a logout functionality which isn't working with Pfsense. Psense hasn't the api of PoD (Package of Disconnect) nor CoA (Change of Authorization). With IP logout I could extend "index.php" with two parameters IP & MAC. With this I could call the logout window and I would be able to disconnect a user from daloradius.
Do we have to patch pfsense always or is there a plan to replace current logout windows in the official Pfsense version? Who is responsible for captiveportal?
