Captive portal manual logout page address
-
See the first pagr on this topic.
-
thank you …
-
Last "Btw":
@lsense:modify capture of 1.1.1.1 in ipfw : it gets always redirected, even if authenticated
"Could you detail this please ? What is de ipfw rule ? Injected where ?"
(Ok, I know where, but what ipfw rule ? I'm an iptables man)sorry for the timed out reply, I report it here just for reference.
search for the comment "Authenticated users rules" in /etc/inc/captiveportal.inc and put those two lines in:/* Authenticated users rules. */ $cprules .= "add {$rulenum} fwd 127.0.0.1,{$listenporthttp} tcp from any to 1.1.1.1 in\n"; $rulenum++; $cprules .= "add {$rulenum} pipe tablearg ip from table(1) to any in\n"; $rulenum++; $cprules .= "add {$rulenum} pipe tablearg ip from any to table(2) out\n"; $rulenum++;
-
@Gertjan
The cookie solution has another disadvantage. If user uses more than one browser in the same session he could logout only with the original login browser. The other one doesn't know the cookie. For me a IP/MAC solution is secure enough. Spoofing the HTTP REMOTE_ADDR is not that easy. You need a proxy server for this. And what is the risk? The effort is high for what? Log-out another user from your hotel network.Working with IP address has another advantage. I use "daloradius" to manage my radius database. In daloradius is a logout functionality which isn't working with Pfsense. Psense hasn't the api of PoD (Package of Disconnect) nor CoA (Change of Authorization). With IP logout I could extend "index.php" with two parameters IP & MAC. With this I could call the logout window and I would be able to disconnect a user from daloradius.
Do we have to patch pfsense always or is there a plan to replace current logout windows in the official Pfsense version? Who is responsible for captiveportal?
-
Unrelated to this thread, we committed a change to 2.3 this week to switch index.php to a logout page if you reload the portal URL.
https://github.com/pfsense/pfsense/commit/d2ecbddc79a9b67cae52fca6cd3b7bebd758b047
Be sure to read the note on the commit.
-
Here are my modifications that work with cookies:
Please note : I use the https version of the captive portal with a valid (startssl.com certificat) (I don't know if this is important).
Right now, (January 2015) this setup works on one of my pfSense installations (an hotel).
I'm using a nearly clean, original "2.1.5-RELEASE (amd64) built on Mon Aug 25 07:44:45 EDT 2014".edit: these pastebin.org files are locked 'forever' - keep in mind that used to work with 2.1.5 - They might need some re-coding for 2.2.
File: /usr/local/captiveportal/index.php : http://pastebin.com/scYuKTyw - index.php - compare and modify last ~ 15 lines
Basically, this parted gets inserted:} else if ((isset($_COOKIE['cookie_portal']) && already_connected($_COOKIE['cookie_portal']))) /* if we have a valid session, display already connected page - offer logout */ portal_reply_page($redirurl, "already_connected",null,$clientmac,$clientip);
File /etc/inc/captiveportal.php :
-
Replace the entire function portal_reply_page(…) with this one : http://pastebin.com/piamkhNB
-
Just above this new function portal_reply_page(...), add this new function already_connected(…) : http://pastebin.com/CFatytZ9
-
Replace the entire function portal_allow(…) with this one : http://pastebin.com/jDHVaNwf (actually, I just added nearly at the bottom one line:
setcookie("cookie_portal", $sessionid);
And:
Upload these two files with the FileManager available in the Captive Portal:
style.css - http://pastebin.com/MqwEcxVP (this file will be called and used as captiveportal-style.css when uploaded)
xxxxxxx-already-connected.html - http://pastebin.com/PUyQvAuv (this file will be called and used as "captiveportal-xxxxxxx-already-connected.html" when uploaded)You probably have to change the first part of the last file name = "xxxxxxx" in xxxxxxx-already-connected.html
Edit your instance (zone) of your captive portal. You will find the wanted parted in the URL:
Example, mine is showing this:
http://192.168.1.1/services_captiveportal.php?zone=xxxxxxx
(Note: my first and unique Captive portal zone is being called "ZONE1" - that's NOT the part we wanted)Hi Gertjan, if you're still there I just wanted to know if its working with freeradius auth? I did tried this one. But I guess I'm a bit lost. I don't know where is the Zone thing :'( :'( :'(
The issue is: I've been redirected to the disconnecting page. I was expecting that I may not be able to use the net, but I still can.
-
-
Yes, I'm still here.
You are using Radius -I'm not. So you tell me if everything works with your setup.
This https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L167 should probably be checked out.
Btw :
File: /usr/local/captiveportal/index.php : http://pastebin.com/scYuKTyw - index.php - compare and modify last ~ 15 lines
Basically, this parted gets inserted:This is wrong. The cookie is laso destoyed at line 124 (see pastebin link).
-
Yes, I'm still here.
You are using Radius -I'm not. So you tell me if everything works with your setup.
This https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L167 should probably be checked out.
I also have that line sir. Here's my index link: http://pastebin.com/ZU2TNYeZ - index.php and my inc file: http://pastebin.com/1sD9iZb3
Hope you don't mind checking it out. I'm a bit lost. :'( :'( :-[[quote]
Btw :File: /usr/local/captiveportal/index.php : http://pastebin.com/scYuKTyw - index.php - compare and modify last ~ 15 lines
Basically, this parted gets inserted:This is wrong. The cookie is laso destoyed at line 124 (see pastebin link).
Should i remove that part in my code?
By the way, im in the part when i clicked the "LOGOUT" i am redirected in "Disconnecting" but im still connected.
??? :o -
Hi Gertjan,
Hope you are doing great!
I have tried this in 2.3 but its not working, any modification to make logout working in 2.3
-
Going well here :)
2.3 isn't really different when it concerns the captive portal code.
I guess the patches can be applied when you know that you have to patch the intelligent way : line numbers have changed, some code changes have been made, etc.
You have to know what you patch in, what it does - en what the actual code does.What different is : Knowing that the "lookup-session-with-cookie" method doesn't work (most BOYD devices use bare-bone navigators that do not store the cookie) the "logout"
Added to that : Here in France "Internet" costs about nothing, so I sell it using the same price to my clients (visitors). This implies that people aren't looking to disconnect anymore.So, you can understand that I 'm not looking anymore to have users disconnecting themselves.
(although I have a "disconnect-for-inactivity" very low : 30 minutes). -
Thanks Dear,
I'll try to work it out.
-
@Gertjan
Hello Gertjan,I read all the thread with attention.
I'm real bad in coding, i'm a network lad.You look to know very well php, and pfsense captive portal auth and co management.
Sorry to dig out this old topic, but i have diffilculties to find the simple solution i'm looking for.So i ask for your help sir..
All i need is a simple logout php or html page that send directly a logout command to the server and logs out the client that start that page. No action needed by the client (no click, nothing)
I tried with the examples you gave but no success, i know sh** in php..
Your help would be very much apreciated
Regards
-
when @brinch enjoy digging up burried threads a bit too much
could you please create a new thread ?
-
:D
I've done it already.
But that guy mentioned is the one! @Gertjan -
Portal logout page :
The thing is : browser got smarter these days.
Cookies aren't stored or accisble by default any more.
Browser do NOT accept popup, pages (any more) .....So, the logout page you push out when the user logs in doesn't get show up on the user's screen as a windows or tab where the user can logout.
And you can not control the users browser settings ...When time is money : explain the user while he is logging in that the soft-timeout is set to a very low value, which means that without user activity, the user gets disconnected fast.
Also : inform the user that he should de activated his Wifi connection on his side when he is done using your resources. If not : his credit time will get used .... So, when the user disconnects, the idle (soft) time will handle everything for you without any coding. -
Ok, i understand.
But there me be a very easy way to write a simple php page that directly log out the user who launches it. No pop up, no confirmation button.
http://mypfsense:8004/logout.php
Just a function that get the session id and kill the current session.
I tried to code something with the elements you gave, but it didn't work ...
-
@brinch said in Captive portal manual logout page address:
I tried to code something with the elements you gave, but it didn't work ...
You should :
Obtain user's IP and MAC (see /usr/local/captiveportal/index.php how to get the, it's easy.Use this to get the session ID :
Use https://github.com/pfsense/pfsense/blob/fb249aefa378172d6c246e62d15a8da40d80c5b6/src/etc/inc/captiveportal.inc#L2834 to get the session entry.
$cpentry[5] should contain the session ID.
Now call https://github.com/pfsense/pfsense/blob/fb249aefa378172d6c246e62d15a8da40d80c5b6/src/etc/inc/captiveportal.inc#L1214 using this session ID.
-
This post is deleted! -
This worked for me :
<?php require_once("captiveportal.inc"); require_once("auth.inc"); require_once("functions.inc"); global $g, $config, $cpzone, $cpzoneid; /* Are there any portals ? */ if (is_array($config['captiveportal'])) { /* For every portal (cpzone), do */ foreach ($config['captiveportal'] as $cpkey => $cp) /* Sanity check */ if (is_array($config['captiveportal'][$cpkey])) /* Is zone enabled ? */ if (array_key_exists('enable', $config['captiveportal'][$cpkey])) { $cpzone = $cpkey; $cpzoneid = $cp['zoneid']; $client_ip = $_SERVER['REMOTE_ADDR']; $cpentry = array(); $cpentry = captiveportal_isip_logged($client_ip); if ( array_key_exists(5, $cpentry) ) { captiveportal_disconnect_client($cpentry[5], 1, "USER LOGOUT"); } } } ?>
Note : the $cpzone should be set to the actual captive portal zone instance name !
( I'll update this post later on so the code will scan over all active captive portal zone instances )When I visited this /logout.php page, I was logged out.
edit : code updated.
-