Captive portal manual logout page address

amitaussie

Hi Gertjan!

This solution is perfect now, I hope! working great in 2.2!

setcookie("cookie_portal", $sessionid, time()+strtotime("+1 day"));

For one day it is ok.
Testing it further to see if there's anything to improve (hopefully nothing :))

Thanks & Regards

Gertjan

@amitaussie:

….
Testing it further to see if there's anything to improve (hopefully nothing :))

Ok, good.
I conclude that you do not use any smartphones like Androids en iDevices (iPhone, iPads) on your portal network ?
Because they use CNA 'navigator' which will discard the cookie on login …..
This means that, as you said already, people have to re-login with their 'real' browser to get a cookie - to be able to log out ....

amitaussie

Hi!

Well…

People do use smartphones to browse internet in my network. So you mean to say they won't be able to access log out page...oh! ok. If it can be solved then its great! Otherwise not a big issue as everyone uses his own smartphone etc. and if they are not served a log out page.

Thanks & Regards!

doktornotor

@amitaussie:

So you mean to say they won't be able to access log out page…oh! ok. If it can be solved then its great! Otherwise not a big issue as everyone uses his own smartphone etc. and if they are not served a log out page.

No, no, no… you misunderstood that issue. They will be logged out as soon as they've logged in via the crippled CNA "browser". They need to use their real browser to log in if they want to continue browsing.

amitaussie

Hi!

oh ! Is this CNA browser feature offered by Apple IOS only ? As I have checked with my Samsung mobile, i am offered my CP login page and after log in, I am able to browse and recall log out page. Its working in Samsung mobile.

Do i have to install any other browser in Apple devices to bypass this CNA feature, like chrome etc.?

Thanks & Regards!

amitaussie

doktornotor

@amitaussie:

Do i have to install any other browser in Apple devices to bypass this CNA feature, like chrome etc.?

Will not help. The only way to avoid this junk is to avoid CP detection altogether.

EMWEE

No, no, no… you misunderstood that issue. They will be logged out as soon as they've logged in via the crippled CNA "browser". They need to use their real browser to log in if they want to continue browsing.

When i login via CNA everything works fine. I just use the less secure IP/MAC solution.

doktornotor

@EMWEE:

I just use the less secure IP/MAC solution.

Yeah, so what exactly does this have to do with the manual logout page?

EMWEE

@doktornotor:

No, no, no… you misunderstood that issue. They will be logged out as soon as they've logged in via the crippled CNA "browser". They need to use their real browser to log in if they want to continue browsing.

They won't be logout…they r just not getting the cookie (or am I missing something). So I use the IP/MACso users can use CNA or browser.

doktornotor

This entire thread has been discussing how to log out people by using a cookie. So yeah, you can use CNA just fine if you not using logout, just don't get why are you discussing this on a CP manual logout thread…

EMWEE

@doktornotor:

This entire thread has been discussing how to log out people by using a cookie. So yeah, you can use CNA just fine if you not using logout, just don't get why are you discussing this on a CP manual logout thread…

No its not. It been discussed using IP/MAC too at the first page..and this does work with CNA.  Im just stating this since the cookie solution is troublesome for phones/tablets.

Gertjan

doktornotor, you joined in with the "cookie issue with CNA"  which, by the way, destroyed half the fun, not because it was true but because I thought it was working good, or all prove was there that it wasn't  ;) CNA f*cked that up.
It was lsense, who told use that he uses cookies https://forum.pfsense.org/index.php?topic=77143.msg421812#msg421812
I wasn't doing so, before. I used a lookup with IP and MAC which I found secure enough because my portal uses https. (But, for some reason, it seems to me that most of us don't)

Anyway, who cares  :D

Maybe I should write-up a cookie+(MAC/IP) …. but what I realy need it the answer to his first:
https://forum.pfsense.org/index.php?topic=77143.msg478165#msg478165
Last "Btw":
@lsense:

modify capture of 1.1.1.1 in ipfw : it gets always redirected, even if authenticated

"Could you detail this please ? What is de ipfw rule ? Injected where ?"
(Ok, I know where, but what ipfw rule ? I'm an iptables man)

I'd like to know how to make a short simple easy-to-remember logout URL, like "logme.out" or even "logout" that get redirected to the captive portal web server.
Any ideas ?

Byw: It's easy to circumvent the CNA login culprit.
Just connect to the Wifi network.
The CNA pops up.
Shut it down ! (iDevice: hit de home button).
Open the real browser, like Safari or whatever you have on your iDevice.
Login.
The cookie will be there.
Tested and works every time on an iDevice.

EMWEE

I use a NAT rule: IP of CP port 80 redirect to 8002.

And a DNS record: logout.me with ip of the CP.

I bet Isense redirect 1.1.1.1 to CP IP:800x

amitaussie

Hi!

Its working for last more than 24 hours, squid3+transparent proxy+ SSL bump+ squidguard + CP Logout page, no glitches, restarted, everything is working flawless, checked on pcs and mobiles. Everything seems Ok! ;D

Thanks & Regards!

amitaussie

supachai

Hi! All
I have the same problem
I want to logout manual
Please help me step by step.

Thank

EMWEE

See the first pagr on this topic.

supachai

thank you …

lsense

@Gertjan:

Last "Btw":
@lsense:

modify capture of 1.1.1.1 in ipfw : it gets always redirected, even if authenticated

"Could you detail this please ? What is de ipfw rule ? Injected where ?"
(Ok, I know where, but what ipfw rule ? I'm an iptables man)

sorry for the timed out reply, I report it here just for reference.
search for the comment  "Authenticated users rules" in /etc/inc/captiveportal.inc and put those two lines in:

	/* Authenticated users rules. */
	$cprules .= "add {$rulenum} fwd 127.0.0.1,{$listenporthttp} tcp from any to 1.1.1.1 in\n";
	$rulenum++;
	$cprules .= "add {$rulenum} pipe tablearg ip from table(1) to any in\n";
	$rulenum++;
	$cprules .= "add {$rulenum} pipe tablearg ip from any to table(2) out\n";
	$rulenum++;

Enrica_CH

@Gertjan
The cookie solution has another disadvantage. If user uses more than one browser in the same session he could logout only with the original login browser. The other one doesn't know the cookie. For me a IP/MAC solution is secure enough. Spoofing the HTTP REMOTE_ADDR is not that easy. You need a proxy server for this. And what is the risk? The effort is high for what? Log-out another user from your hotel network.

Working with IP address has another advantage. I use "daloradius" to manage my radius database. In daloradius is a logout functionality which isn't working with Pfsense. Psense hasn't the api of PoD (Package of Disconnect) nor CoA (Change of Authorization). With IP logout I could extend "index.php" with two parameters IP & MAC. With this I could call the logout window and I would be able to disconnect a user from daloradius.

Do we have to patch pfsense always or is there a plan to replace current logout windows in the official Pfsense version? Who is responsible for captiveportal?

jimp

Unrelated to this thread, we committed a change to 2.3 this week to switch index.php to a logout page if you reload the portal URL.

https://github.com/pfsense/pfsense/commit/d2ecbddc79a9b67cae52fca6cd3b7bebd758b047

Be sure to read the note on the commit.