ending captive session with browser close

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ending captive session with browser close

L6 Presenter

Hi,

Captive Portal is used for all LAN (no Active directory)

we want to kill captive portal session when a client closes the browser.

Any idea ? (we can install scripts or etc. to computers, they are not visitor computers)

12 REPLIES 12

L5 Sessionator

Hi Panos,

For me, not possible until the CP be able to use cookies for authenticiation. When it will be ok , for sure you will be able to choose how long the cookie will be valid, a period of time or browser session.

Hope help.

V.

Community Team Member

Hi,

 

Please read the following pdf DOC :

How to Configure Captive Portal

 

You will want to use session cookies. 

Session cookies will remove user entries when the browser is closed.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

you mean everytime when we close the browser(for all browsers) it will ask user pass again ?

I don't see that option in that pdf.

Community Team Member

Hi,

If session cookies are enabled, the user’s entry will be removed from the authentication table after the user closes the browser. If session cookies are not enabled, the entry will be aged out after the specified inactivity timer/expiration timer.

Please refer to the session cookie information on page #11 of the DOC :

A session cookie is stored within the browser itself and is sent within each HTTP request packet. Session cookies are removed when the browser is closed. Enabling session cookie has two advantages:

The user will not need to re-authenticate when the idle or expiration timers trigger.

When roaming is enabled, if the machine’s IP address changes, the user will be re-mapped to the new IP. Re-authentication is not required.

The session cookie timeout is an absolute time value. After this period of time has passed, the user will be prompted to login again.

Best practice is to enable session cookies, and to configure the idle and expiration timer to be 1 minute. That way, once the browser is closed, the association will timeout in 60 seconds.


I hope it can help you further.


Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

timer is 1 hour

session cookie is enabled.it also has a timer.So before 1 hour if you close your browser nothing happens.

Community Team Member

That is correct

If you close your browser and if your Idle/Expiration timer is set to 1 hour it will keep the association during that timeframe and you will not be asked to re-authenticate should you reopen your browser during that timeframe.

For example ... I configured CP using session cookies and I also configured an expiration and idle timer of 10 minutes :

Screen Shot 2014-01-14 at 14.39.45.png

When I first open my browser I will be redirected to the CP logon page.

When I logon, I get a cookie.

At the same time I get an ip-user-mapping with the timers specified in the above config.

You can check this mapping and timers with the 'show user ip-user-mapping all' command :

admin@PA-500-249> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

192.168.200.21  vsys1  CP      testuser1                        600            600        

Total: 1 users

As you can see I got an IP user mapping from CP and the 10 minute timers I configured.

Because I am using session cookies, as long as the browser is kept open, I will not need to re-authenticate ... even if the Expiration/Idle timer expire.   I will only need to re-authenticate if my cookies expires (=1440 minutes as per above screenshot).

When I close my browser my cookie will be deleted... however, if my previous mapping has not yet expired then I will not need to re-authenticate when I reopen my browser.  That's why in the DOC it says best practice is to set the Idle/Expiration timer 1 minute.

I hope this clarifies things.

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks Kim for details.At first we tried that solution at pdf but customer did not accept.That is because I asked if there is something we can do(run a ssh script) to clear the captive session for that ip(when closing the browser)

Thanks for your time.

Community Team Member

Hi,

In CLI you can manually delete an ip-user-mapping with the following commands :

clear user-cache ip x.x.x.x

clear user-cache-mp ip x.x.x.x

If you close your browser and clear the ip-user-mapping as shown above the user will have to re-authenticate when reopening the browser.

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi,

Let me clear the thing a little bit so maybe it will be better to solve that.

we made timers as below:

idle 1 min

expiration 2 min

session cookie enabled 60min

so it works if you close the browser and wait max. 1 minute before opening new one.

the problem is when someone closes the browser and other person comes to same computer and opens a new browser in 15-20 seconds, it does not ask user pass !!!!

This is the real problem.So We know 1 minute is minimum.to trigger that situation.

When closing the browser we want to auto clear that session.

I'll try to do that with the commands you gave with API.Hope we'll solve that.


Thanks for help.

I tried to use API for the client and clear it's session.It is working.

Only thing we should run that API command while closing the browser.I have to find a way to do that.

Question for you KWE,

    Which version of PAN-OS are your answers valid for?  I am working on Setting up Captive Portal and have it working - and your answers help address a major issue I have to handle before roll out... that of "resetting" captive portal when the browser closes and not forcing a user to re-authenticate every 15 minutes.

thanks

Art

1 minute is small. Customers put 10 hours. For example you put a lot of information to web form and when it took you more than 1 minute - when you click POST then all information disappear and login message appear again.

  • 7367 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!