topic Re: ending captive session with browser close in General Topics

ending captive session with browser close

Retired Member — Wed, 08 Jan 2014 05:42:33 GMT

Hi,

Captive Portal is used for all LAN (no Active directory)

we want to kill captive portal session when a client closes the browser.

Any idea ? (we can install scripts or etc. to computers, they are not visitor computers)

Re: ending captive session with browser close

VinceM — Wed, 08 Jan 2014 08:07:05 GMT

Hi Panos,

For me, not possible until the CP be able to use cookies for authenticiation. When it will be ok , for sure you will be able to choose how long the cookie will be valid, a period of time or browser session.

Hope help.

Re: ending captive session with browser close

kiwi — Thu, 20 Aug 2020 16:24:46 GMT

Hi,

Please read the following pdf DOC :

How to Configure Captive Portal

You will want to use session cookies.

Session cookies will remove user entries when the browser is closed.

Kind regards,

-Kim.

Re: ending captive session with browser close

Retired Member — Thu, 09 Jan 2014 12:27:24 GMT

you mean everytime when we close the browser(for all browsers) it will ask user pass again ?

I don't see that option in that pdf.

Re: ending captive session with browser close

kiwi — Mon, 13 Jan 2014 12:25:56 GMT

Hi,

If session cookies are enabled, the user’s entry will be removed from the authentication table after the user closes the browser. If session cookies are not enabled, the entry will be aged out after the specified inactivity timer/expiration timer.

Please refer to the session cookie information on page #11 of the DOC :

A session cookie is stored within the browser itself and is sent within each HTTP request packet. Session cookies are removed when the browser is closed. Enabling session cookie has two advantages:

• The user will not need to re-authenticate when the idle or expiration timers trigger.

• When roaming is enabled, if the machine’s IP address changes, the user will be re-mapped to the new IP. Re-authentication is not required.

The session cookie timeout is an absolute time value. After this period of time has passed, the user will be prompted to login again.

Best practice is to enable session cookies, and to configure the idle and expiration timer to be 1 minute. That way, once the browser is closed, the association will timeout in 60 seconds.

I hope it can help you further.

Kind regards,

-Kim.

Re: ending captive session with browser close

Retired Member — Mon, 13 Jan 2014 14:31:08 GMT

timer is 1 hour

session cookie is enabled.it also has a timer.So before 1 hour if you close your browser nothing happens.

Re: ending captive session with browser close

kiwi — Tue, 14 Jan 2014 13:52:54 GMT

That is correct

If you close your browser and if your Idle/Expiration timer is set to 1 hour it will keep the association during that timeframe and you will not be asked to re-authenticate should you reopen your browser during that timeframe.

For example ... I configured CP using session cookies and I also configured an expiration and idle timer of 10 minutes :

When I first open my browser I will be redirected to the CP logon page.

When I logon, I get a cookie.

At the same time I get an ip-user-mapping with the timers specified in the above config.

You can check this mapping and timers with the 'show user ip-user-mapping all' command :

admin@PA-500-249> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

192.168.200.21 vsys1 CP testuser1 600 600

Total: 1 users

As you can see I got an IP user mapping from CP and the 10 minute timers I configured.

Because I am using session cookies, as long as the browser is kept open, I will not need to re-authenticate ... even if the Expiration/Idle timer expire. I will only need to re-authenticate if my cookies expires (=1440 minutes as per above screenshot).

When I close my browser my cookie will be deleted... however, if my previous mapping has not yet expired then I will not need to re-authenticate when I reopen my browser. That's why in the DOC it says best practice is to set the Idle/Expiration timer 1 minute.

I hope this clarifies things.

Kind regards,

-Kim.

Re: ending captive session with browser close

Retired Member — Tue, 14 Jan 2014 19:40:46 GMT

Thanks Kim for details.At first we tried that solution at pdf but customer did not accept.That is because I asked if there is something we can do(run a ssh script) to clear the captive session for that ip(when closing the browser)

Thanks for your time.

Re: ending captive session with browser close

kiwi — Wed, 15 Jan 2014 08:32:52 GMT

Hi,

In CLI you can manually delete an ip-user-mapping with the following commands :

clear user-cache ip x.x.x.x

clear user-cache-mp ip x.x.x.x

If you close your browser and clear the ip-user-mapping as shown above the user will have to re-authenticate when reopening the browser.

Kind regards,

-Kim.

Re: ending captive session with browser close

Retired Member — Sun, 19 Jan 2014 12:49:26 GMT

Hi,

Let me clear the thing a little bit so maybe it will be better to solve that.

we made timers as below:

idle 1 min

expiration 2 min

session cookie enabled 60min

so it works if you close the browser and wait max. 1 minute before opening new one.

the problem is when someone closes the browser and other person comes to same computer and opens a new browser in 15-20 seconds, it does not ask user pass !!!!

This is the real problem.So We know 1 minute is minimum.to trigger that situation.

When closing the browser we want to auto clear that session.

I'll try to do that with the commands you gave with API.Hope we'll solve that.

Thanks for help.

Re: ending captive session with browser close

Retired Member — Mon, 03 Feb 2014 10:16:37 GMT

I tried to use API for the client and clear it's session.It is working.

Only thing we should run that API command while closing the browser.I have to find a way to do that.

Re: ending captive session with browser close

Art — Mon, 17 Feb 2014 23:34:39 GMT

Question for you KWE,

Which version of PAN-OS are your answers valid for? I am working on Setting up Captive Portal and have it working - and your answers help address a major issue I have to handle before roll out... that of "resetting" captive portal when the browser closes and not forcing a user to re-authenticate every 15 minutes.

thanks

Art

Re: ending captive session with browser close

dbatrankov — Fri, 27 Feb 2015 05:55:46 GMT

1 minute is small. Customers put 10 hours. For example you put a lot of information to web form and when it took you more than 1 minute - when you click POST then all information disappear and login message appear again.