Captive portal manual logout page address



  • I use a NAT rule: IP of CP port 80 redirect to 8002.

    And a DNS record: logout.me with ip of the CP.

    I bet Isense redirect 1.1.1.1 to CP IP:800x



  • Hi!

    Its working for last more than 24 hours, squid3+transparent proxy+ SSL bump+ squidguard + CP Logout page, no glitches, restarted, everything is working flawless, checked on pcs and mobiles. Everything seems Ok! ;D

    Thanks & Regards!

    amitaussie



  • Hi! All
    I have the same problem
    I want to logout manual
    Please help me step by step.

    Thank



  • See the first pagr on this topic.



  • thank you …



  • @Gertjan:

    Last "Btw":
    @lsense:

    modify capture of 1.1.1.1 in ipfw : it gets always redirected, even if authenticated

    "Could you detail this please ? What is de ipfw rule ? Injected where ?"
    (Ok, I know where, but what ipfw rule ? I'm an iptables man)

    sorry for the timed out reply, I report it here just for reference.
    search for the comment  "Authenticated users rules" in /etc/inc/captiveportal.inc and put those two lines in:

    
    	/* Authenticated users rules. */
    	$cprules .= "add {$rulenum} fwd 127.0.0.1,{$listenporthttp} tcp from any to 1.1.1.1 in\n";
    	$rulenum++;
    	$cprules .= "add {$rulenum} pipe tablearg ip from table(1) to any in\n";
    	$rulenum++;
    	$cprules .= "add {$rulenum} pipe tablearg ip from any to table(2) out\n";
    	$rulenum++;
    
    


  • @Gertjan
    The cookie solution has another disadvantage. If user uses more than one browser in the same session he could logout only with the original login browser. The other one doesn't know the cookie. For me a IP/MAC solution is secure enough. Spoofing the HTTP REMOTE_ADDR is not that easy. You need a proxy server for this. And what is the risk? The effort is high for what? Log-out another user from your hotel network.

    Working with IP address has another advantage. I use "daloradius" to manage my radius database. In daloradius is a logout functionality which isn't working with Pfsense. Psense hasn't the api of PoD (Package of Disconnect) nor CoA (Change of Authorization). With IP logout I could extend "index.php" with two parameters IP & MAC. With this I could call the logout window and I would be able to disconnect a user from daloradius.

    Do we have to patch pfsense always or is there a plan to replace current logout windows in the official Pfsense version? Who is responsible for captiveportal?


  • Rebel Alliance Developer Netgate

    Unrelated to this thread, we committed a change to 2.3 this week to switch index.php to a logout page if you reload the portal URL.

    https://github.com/pfsense/pfsense/commit/d2ecbddc79a9b67cae52fca6cd3b7bebd758b047

    Be sure to read the note on the commit.



  • @Gertjan:

    Here are my modifications that work with cookies:

    Please note : I use the https version of the captive portal with a valid (startssl.com certificat) (I don't know if this is important).
    Right now, (January 2015) this setup works on one of my pfSense installations (an hotel).
    I'm using a nearly clean, original "2.1.5-RELEASE (amd64) built on Mon Aug 25 07:44:45 EDT 2014".

    edit: these pastebin.org files are locked 'forever' - keep in mind that used to work with 2.1.5 - They might need some re-coding for 2.2.

    File: /usr/local/captiveportal/index.php : http://pastebin.com/scYuKTyw - index.php - compare and modify last ~ 15 lines
    Basically, this parted gets inserted:

    } else if ((isset($_COOKIE['cookie_portal']) && already_connected($_COOKIE['cookie_portal'])))
            /* if we have a valid session, display already connected page - offer logout */
            portal_reply_page($redirurl, "already_connected",null,$clientmac,$clientip);
    

    File /etc/inc/captiveportal.php :

    1. Replace the entire function portal_reply_page(…) with this one : http://pastebin.com/piamkhNB

    2. Just above this new function portal_reply_page(...), add this new function already_connected(…) : http://pastebin.com/CFatytZ9

    3. Replace the entire function portal_allow(…) with this one : http://pastebin.com/jDHVaNwf (actually, I just added nearly at the bottom one line:

    	setcookie("cookie_portal", $sessionid);	
    

    And:
    Upload these two files with the FileManager available in the Captive Portal:
    style.css - http://pastebin.com/MqwEcxVP (this file will be called and used as captiveportal-style.css when uploaded)
    xxxxxxx-already-connected.html  - http://pastebin.com/PUyQvAuv (this file will be called and used as "captiveportal-xxxxxxx-already-connected.html" when uploaded)

    You probably have to change the first part of the last file name = "xxxxxxx" in xxxxxxx-already-connected.html
    Edit your instance (zone) of your captive portal. You will find the wanted parted in the URL:
    Example, mine is showing this:
    http://192.168.1.1/services_captiveportal.php?zone=xxxxxxx
    (Note: my first and unique Captive portal zone is being called "ZONE1" - that's NOT the part we wanted)

    Hi Gertjan, if you're still there I just wanted to know if its working with freeradius auth? I did tried this one. But I guess  I'm a bit lost. I don't know where is the Zone thing  :'( :'( :'(

    The issue is: I've been redirected to the disconnecting page. I was expecting that I may not be able to use the net, but I still can.



  • Yes, I'm still here.

    You are using Radius -I'm not. So you tell me if everything works with your setup.

    This https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L167 should probably be checked out.

    Btw :

    File: /usr/local/captiveportal/index.php : http://pastebin.com/scYuKTyw - index.php - compare and modify last ~ 15 lines
    Basically, this parted gets inserted:

    This is wrong. The cookie is laso destoyed at line 124 (see pastebin link).



  • @Gertjan:

    Yes, I'm still here.

    You are using Radius -I'm not. So you tell me if everything works with your setup.

    This https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L167 should probably be checked out.

    I also have that line sir. Here's my index link: http://pastebin.com/ZU2TNYeZ - index.php and my inc file: http://pastebin.com/1sD9iZb3
    Hope you don't mind checking it out. I'm a bit lost.  :'(  :'(  :-[

    [quote]
    Btw :

    File: /usr/local/captiveportal/index.php : http://pastebin.com/scYuKTyw - index.php - compare and modify last ~ 15 lines
    Basically, this parted gets inserted:

    This is wrong. The cookie is laso destoyed at line 124 (see pastebin link).

    Should i remove that part in my code?

    By the way, im in the part when i clicked the "LOGOUT" i am redirected in "Disconnecting" but im still connected.
    ??? :o



  • Hi Gertjan,

    Hope you are doing great!

    I have tried this in 2.3 but its not working, any modification to make logout working in 2.3



  • Going well here  :)

    2.3 isn't really different when it concerns the captive portal code.

    I guess the patches can be applied when you know that you have to patch the intelligent way : line numbers have changed, some code changes have been made, etc.
    You have to know what you patch in, what it does - en what the actual code does.

    What different is : Knowing that the "lookup-session-with-cookie" method doesn't work (most BOYD devices use bare-bone navigators that do not store the cookie) the "logout"
    Added to that : Here in France "Internet" costs about nothing, so I sell it using the same price to my clients (visitors). This implies that people aren't looking to disconnect anymore.

    So, you can understand that I 'm not looking anymore to have users disconnecting themselves.
    (although I have a "disconnect-for-inactivity" very low : 30 minutes).



  • Thanks Dear,

    I'll try to work it out.



  • @Gertjan
    Hello Gertjan,

    I read all the thread with attention.
    I'm real bad in coding, i'm a network lad.

    You look to know very well php, and pfsense captive portal auth and co management.
    Sorry to dig out this old topic, but i have diffilculties to find the simple solution i'm looking for.

    So i ask for your help sir..

    All i need is a simple logout php or html page that send directly a logout command to the server and logs out the client that start that page. No action needed by the client (no click, nothing)

    I tried with the examples you gave but no success, i know sh** in php..

    Your help would be very much apreciated

    Regards


  • Rebel Alliance

    when @brinch enjoy digging up burried threads a bit too much
    alt text

    could you please create a new thread ?



  • :D
    I've done it already.
    But that guy mentioned is the one! @Gertjan



  • Portal logout page :

    The thing is : browser got smarter these days.
    Cookies aren't stored or accisble by default any more.
    Browser do NOT accept popup, pages (any more) .....

    So, the logout page you push out when the user logs in doesn't get show up on the user's screen as a windows or tab where the user can logout.
    And you can not control the users browser settings ...

    When time is money : explain the user while he is logging in that the soft-timeout is set to a very low value, which means that without user activity, the user gets disconnected fast.
    Also : inform the user that he should de activated his Wifi connection on his side when he is done using your resources. If not : his credit time will get used .... So, when the user disconnects, the idle (soft) time will handle everything for you without any coding.



  • Ok, i understand.

    But there me be a very easy way to write a simple php page that directly log out the user who launches it. No pop up, no confirmation button.

    http://mypfsense:8004/logout.php

    Just a function that get the session id and kill the current session.

    I tried to code something with the elements you gave, but it didn't work ...



  • @brinch said in Captive portal manual logout page address:

    I tried to code something with the elements you gave, but it didn't work ...

    You should :
    Obtain user's IP and MAC (see /usr/local/captiveportal/index.php how to get the, it's easy.

    Use this to get the session ID :

    Use https://github.com/pfsense/pfsense/blob/fb249aefa378172d6c246e62d15a8da40d80c5b6/src/etc/inc/captiveportal.inc#L2834 to get the session entry.

    $cpentry[5] should contain the session ID.

    Now call https://github.com/pfsense/pfsense/blob/fb249aefa378172d6c246e62d15a8da40d80c5b6/src/etc/inc/captiveportal.inc#L1214 using this session ID.



  • This post is deleted!


  • This worked for me :

    <?php
    
    require_once("captiveportal.inc");
    require_once("auth.inc");
    require_once("functions.inc");
    
    global $g, $config, $cpzone, $cpzoneid;
    
    /* Are there any portals  ? */
    if (is_array($config['captiveportal'])) {
    	/* For every portal (cpzone), do */
    	foreach ($config['captiveportal'] as $cpkey => $cp)
    		/* Sanity check */
    		if (is_array($config['captiveportal'][$cpkey])) 
    			/* Is zone enabled ? */
    			if (array_key_exists('enable', $config['captiveportal'][$cpkey])) {
    				$cpzone = $cpkey;
    				$cpzoneid = $cp['zoneid'];
    				$client_ip = $_SERVER['REMOTE_ADDR'];
    				$cpentry = array();
    				$cpentry = captiveportal_isip_logged($client_ip);
    				if ( array_key_exists(5, $cpentry) ) {
    				captiveportal_disconnect_client($cpentry[5], 1, "USER LOGOUT");
    				}
    			}
    	}
    ?>
    

    Note : the $cpzone should be set to the actual captive portal zone instance name !
    ( I'll update this post later on so the code will scan over all active captive portal zone instances )

    When I visited this /logout.php page, I was logged out.

    edit : code updated.



  • @Gertjan

    Thank you very much, it does the trick.

    Have a good day



  • I just updated the code ^^



  • any tutorial process to input this code? or edit and add
    thanks in advance ive got this issue with my client users for how many months.



  • @netx34 said in Captive portal manual logout page address:

    any tutorial process to input this code? or edit and add

    Yep.

    Place (create) it here : /usr/local/captiveportal
    Call the file "logout.php".

    Note : this is NOT a file you can upload into the pfSense Captive Pprtal's file manager !!

    Now you can use
    http://portal.mypfsense.tld:8004/logout.php
    or
    http://192.168.2.1:8004/logout.php

    ( if 192.168.2.1 is the IP address of the captive portal's interface - or your set "portal.mypfsense.tld" as the FQDN to this IP using the Resolver.
    "8004" is just an example, your port number might be different. )



  • @Gertjan thank you,
    im now test it before i deploy it to my exact pf serve,
    great work and update.

    update later after work.



  • btw only the logout.php can apply FQDN for the domain name



  • @netx34 said in Captive portal manual logout page address:

    btw only the logout.php can apply FQDN for the domain name

    What do you mean ?



  • When I visited this /logout.php page, I was logged out.

    So this code works great, thanks. I'm adding in a redirect at the end of the file - it works - but it takes around 20 seconds too load the login page - or any page

    Any ideas on a workaround? - I assume the portal is interfering somehow.

    <script>window.location.replace("http://example.com");</script>
    
    

    edit: weird, it a happened a few times, restored a backup and it now works fine..



  • @guntery said in Captive portal manual logout page address:

    I'm adding in a redirect at the end of the file

    What are you talking about ?
    What file ? The script from above ? That a massive "log everybody out" script file.

    After throwing everybody out, why would you redirect yourself to http://example.com ? Why not the pfSense GUI ?



  • Huh? It logs out the user who goes to that page not all users.

    the redirect goes to the splash page either way though right (it's an example), in this case I have 2 captive portals with differing IP's and 1 logout script so it was easier to use the domain redirect not the CP IP



  • @guntery said in Captive portal manual logout page address:

    uh? It logs out the user who goes to that page not all users.

    I stand corrected.
    Had to review the script and true, the caller gets logged out.
    Sorry for the noise ^^


Log in to reply