What happened to "Pre-authentication ...." ?



  • Consider

    0_1542889540170_158ce6d5-7131-4f4a-b341-b6cf8ea8be4e-image.png

    "After authentication URL", which I'm using for a long time now, does what it claims to do : after authenticatio users will see google.com.

    But the description of "Pre-authentication redirect URL" conflicts with the user manual.

    A "Pre-authentication redirect URL" will redirect visitors to this URL after authentication only if the captive portal don't know where to redirect them.
    I had to much coffee this morning, or not enough ?

    It happened here : https://github.com/pfsense/pfsense/commit/b60a39ae486844e75e6e384710c2df3f86db520d#diff-7e49d642280675092542de8bd5454f3c
    @Augustin FL ?


  • Rebel Alliance

    @gertjan said in What happened to "Pre-authentication ...." ?:

    I had to much coffee this morning, or not enough ?

    not you...but others did, years ago

    what happened is that in 2.4.3 (and before) the description of "Pre auth URL" didn't reflected what the feature was really doing.

    This setting was used as "default URL" instead by the captive portal.

    as proof, you could see commits dated from long time ago talking about usage of Pre-Authentication URL ($redirurl)....after authentication. https://github.com/pfsense/pfsense/commit/adbb495cd692f3aeda39efddb15f02b6df46603f

    you could also see that since years, captive portal is redirecting non connected users to the login page without checking for pre-Authentication URL. the change seems to have been done 11 years ago : https://github.com/pfsense/pfsense/blob/65fbb3889680ae561f0d60c8038dbc1a737af0a2/usr/local/captiveportal/index.php#L59-L61
    before this commit, I don't see any mention of /index.php?redirurl= ....meaning that it was possible before that to redirect an user to other places than the captive portal login page

    anyway, this setting was very misleading for me, I took quite a bit to understand what could it be used for....so I updated its description, that's all. there is no behaviour change of this setting (unless I made a mistake of course).

    it's entirely possible that I missed something, though. i am going to re-check carefully the behaviour of Pre-Authentication URL in 2.4.3 in the next days, to make sure there is no change.

    maybe we should think about updating the docs ?



  • I played a little bit with " configuring-a-pre-authentication-redirect-for-captive-portal-users ".

    Using Pre-authentication redirect URL and doing what is stated here still redirect the user to another web server. - not the captive portal.

    This should be edited :

    <?php
     require("globals.inc");
     $request_uri = urldecode(str_replace("/index.php?redirurl=", "",  $_SERVER["REQUEST_URI"]));
     $portal_redirurl = urldecode("$PORTAL_REDIRURL$");
     if(!stristr(urldecode("$PORTAL_REDIRURL$"), $request_uri)) {
        Header("Location: $PORTAL_REDIRURL$");
        exit;
     }
    ?>
    
    [Rest of CP login page]
    

    The line

    require("globals.inc");
    

    should be removed now, it's already included.

    The line (URL) on the pre authed web server that takes the user back :

    http://x.x.x.x:8000/index.php
    

    should at least include ?zone=your_zone like :

    https://your_portal_server.your_pfsense.tld:8003/index.php?zone=your_zone&......
    

    https://your_portal_server.your_pfsense.tld:8003 for me because "8003" is the URL and port on which my https enabled portal server is listening.
    ?zone=your_zone because otherwise the portal web server will not know which zone the user is using.

    and that where it ended for me right now.
    I'm have this subject on my to-test list, but somewhat blocked by the fact that portal debugging means : I'm throwing out the user every time I try something.

    I guess the original functionality of Pre-authentication redirect URL is still possible, but the doc should be updated a little bit.