- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-07-2014 09:42 PM
Hi,
Captive Portal is used for all LAN (no Active directory)
we want to kill captive portal session when a client closes the browser.
Any idea ? (we can install scripts or etc. to computers, they are not visitor computers)
01-08-2014 12:07 AM
Hi Panos,
For me, not possible until the CP be able to use cookies for authenticiation. When it will be ok , for sure you will be able to choose how long the cookie will be valid, a period of time or browser session.
Hope help.
V.
01-08-2014 12:17 AM - edited 08-20-2020 09:24 AM
Hi,
Please read the following pdf DOC :
How to Configure Captive Portal
You will want to use session cookies.
Session cookies will remove user entries when the browser is closed.
Kind regards,
-Kim.
01-09-2014 04:27 AM
you mean everytime when we close the browser(for all browsers) it will ask user pass again ?
I don't see that option in that pdf.
01-13-2014 04:25 AM
Hi,
If session cookies are enabled, the user’s entry will be removed from the authentication table after the user closes the browser. If session cookies are not enabled, the entry will be aged out after the specified inactivity timer/expiration timer.
Please refer to the session cookie information on page #11 of the DOC :
A session cookie is stored within the browser itself and is sent within each HTTP request packet. Session cookies are removed when the browser is closed. Enabling session cookie has two advantages:
• The user will not need to re-authenticate when the idle or expiration timers trigger.
• When roaming is enabled, if the machine’s IP address changes, the user will be re-mapped to the new IP. Re-authentication is not required.
The session cookie timeout is an absolute time value. After this period of time has passed, the user will be prompted to login again.
Best practice is to enable session cookies, and to configure the idle and expiration timer to be 1 minute. That way, once the browser is closed, the association will timeout in 60 seconds.
I hope it can help you further.
Kind regards,
-Kim.
01-13-2014 06:31 AM
timer is 1 hour
session cookie is enabled.it also has a timer.So before 1 hour if you close your browser nothing happens.
01-14-2014 05:52 AM
That is correct
If you close your browser and if your Idle/Expiration timer is set to 1 hour it will keep the association during that timeframe and you will not be asked to re-authenticate should you reopen your browser during that timeframe.
For example ... I configured CP using session cookies and I also configured an expiration and idle timer of 10 minutes :

When I first open my browser I will be redirected to the CP logon page.
When I logon, I get a cookie.
At the same time I get an ip-user-mapping with the timers specified in the above config.
You can check this mapping and timers with the 'show user ip-user-mapping all' command :
admin@PA-500-249> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
192.168.200.21 vsys1 CP testuser1 600 600
Total: 1 users
As you can see I got an IP user mapping from CP and the 10 minute timers I configured.
Because I am using session cookies, as long as the browser is kept open, I will not need to re-authenticate ... even if the Expiration/Idle timer expire. I will only need to re-authenticate if my cookies expires (=1440 minutes as per above screenshot).
When I close my browser my cookie will be deleted... however, if my previous mapping has not yet expired then I will not need to re-authenticate when I reopen my browser. That's why in the DOC it says best practice is to set the Idle/Expiration timer 1 minute.
I hope this clarifies things.
Kind regards,
-Kim.
01-14-2014 11:40 AM
Thanks Kim for details.At first we tried that solution at pdf but customer did not accept.That is because I asked if there is something we can do(run a ssh script) to clear the captive session for that ip(when closing the browser)
Thanks for your time.
01-15-2014 12:32 AM
Hi,
In CLI you can manually delete an ip-user-mapping with the following commands :
clear user-cache ip x.x.x.x
clear user-cache-mp ip x.x.x.x
If you close your browser and clear the ip-user-mapping as shown above the user will have to re-authenticate when reopening the browser.
Kind regards,
-Kim.
01-19-2014 04:49 AM
Hi,
Let me clear the thing a little bit so maybe it will be better to solve that.
we made timers as below:
idle 1 min
expiration 2 min
session cookie enabled 60min
so it works if you close the browser and wait max. 1 minute before opening new one.
the problem is when someone closes the browser and other person comes to same computer and opens a new browser in 15-20 seconds, it does not ask user pass !!!!
This is the real problem.So We know 1 minute is minimum.to trigger that situation.
When closing the browser we want to auto clear that session.
I'll try to do that with the commands you gave with API.Hope we'll solve that.
Thanks for help.
02-03-2014 02:16 AM
I tried to use API for the client and clear it's session.It is working.
Only thing we should run that API command while closing the browser.I have to find a way to do that.
02-17-2014 03:34 PM
Question for you KWE,
Which version of PAN-OS are your answers valid for? I am working on Setting up Captive Portal and have it working - and your answers help address a major issue I have to handle before roll out... that of "resetting" captive portal when the browser closes and not forcing a user to re-authenticate every 15 minutes.
thanks
Art
02-26-2015 09:55 PM
1 minute is small. Customers put 10 hours. For example you put a lot of information to web form and when it took you more than 1 minute - when you click POST then all information disappear and login message appear again.
 
					
				
				
			
		
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

