IPFire GUI Logout?

Hello,

I miss the possibility to log out from the IPFire interface.

I have to close the browser every time to close the connection.

But if I am not allowed to do that because another application is running, others could have access to the IPFire.

Is there a way to achieve the logout.

I don’t want to reboot the IPFire every time. :roll_eyes:

2 Likes

Good point pic18f2550

I had not noticed that, maybe a time out after certain period of inactivity. A direct logout button could be nice.

Developers, what do you think? Shame I don’t know nothing how to program.

Hi @pic18f2550

I am not sure what the problem is that you have with shutting down the browser after you have finished with IPFire or are you carrying out the IPFire admin work on another persons computer.

If you are trying to do IPFire admin, such as setting up a fixed IP, when you are at a client computer then I would think that using a laptop would be the best idea as the admin is then being done on a machine that you are fully in control of.

2 Likes

Why not also provide a read-only user without admin rights?
It could be useful to allow you to see the reports but without the possibility to modify or see certain parameters.
Giuseppe

2 Likes

@sk7176
I disagree. There’s a lot of confidential configuration that is visible, even without edit permissions.

I can understand the original request, should an admin find it necessary to access the firewall settings in the user’s session WITHOUT terminating the user’s browser session, but must agree that closing the browser is a reasonable solution in most circumstances.

In fact, were it me, I would prefer to “switch user” to an account I control before logging to the firewall, and I’d rather NOT use a client device I did not control.

Sure a switch user would be ideal.
Sometimes it happens that you want to allow non-admin users to see the logs, for example.
But in the current state you should either give the admin password, or do the extractions yourself and then pass them the results.
But if you manage several devices, things get complicated.
In short, it would be nice to have the possibility to have not only the admin user.
Giuseppe

Hello,

the “network” consists only of an IPC and the IPFire.

I cannot and must not connect another PC to it (config).

The problem is that the programmer of the control has written the software so that when the browser is ofline the system stops. (eigendlich quite reasonable for control reasons) only I have the problem.

A user management on the IPFire I think is excessive.
Here really only the admin should have access.
Everything else would only expose the system to unnecessary dangers.
After all, this is the 1st firewall that protect our network. :slight_smile:
A timeout I find a bit annoying because it always strikes when you just can not use it.

A button that deletes the cookie I see as a simple solution but also does not protect against stupidity.

Hi @pic18f2550

Okay, so I presume that IPC is Industrial PC and the operators of the machine being run by that PC have to access the browser to carry out their work.

When you can only have the IPC connected to IPFire then that does limit your options.

If you are familiar with perl you could look at the IPFire code and create a patch to do what you are looking for and submit it to the development list for inclusion into IPFire.

The IPFire core developers team is small and they are concentrating on the core functions of IPFire and, when time allows, working on IPFire3. So it is unlikely that they will be able to focus time on what you are asking for.

You could always ask them the question but that would be best done on the developers mailing list rather than the community forum.

https://wiki.ipfire.org/devel/contact

1 Like

Doing it myself would not be a problem if I could understand perl.
In which directory on the IPFire are the GUI pages stored?
It doesn’t cost anything to look inside, and with a little bit of brainpower I will find something on the internet.

e.g. : https://linuxconfig.org/perl-programming-tutorial

The apache vhost commands that bring up the authentication box is in

/etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf

but I am not sure where the connection would need to be broken once this authentication has been successfully carried out.

The various cgi pages are to be found in

/srv/web/ipfire/cgi-bin/

See the wiki for details about submitting patches

https://wiki.ipfire.org/devel/submit-patches

Good luck.

1 Like

I am not sure how easy this is going to be.

I have done a little searching and apparently there is no mechanism to log the user out of an authenticated session in Apache other than closing the browser. I found the following

https://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication

2 Likes

This is how it should look.

Let’s see if I can find the place where the HTML page is assembled.

Too bad that it is not PHP because the logout is easier.

1 Like


I searched around a bit in the menu files and found no approach for an extension.
But it’s not a problem, I just took the “shutdown.cgi” and worked on it.
I also found the file with the username and password.
Since a reboot does not disconnect the user, I suspect that there is a variable on the browser that is read with POST.

I have changed the stored username and password,
The next time I refreshed the page, the browser asked for a login.

The aim is to find this variable and replace its content with an invalid one. :sunglasses:

1 Like

Why not just start a second browswer session, only for the IPFire web access?

If the browser is the only interface to your IPC, to control all its functions, you should use a second PC for administration of IPFire. Administer your IPC ( and the application it controls ) and the firewall ( IPFire ) are two different cases, each for another dedicated system.

I have no free port in the network and am not allowed to connect to another PC in the network.
I can’t do anything about it, the customer is the boss and he has the say.
I have also tried to log out with a second start of the browser when closing the same.
But that doesn’t work either.

Could you be a bit more specific about your network?
How are which devices connected?
What is the task of IPfire in this network?
How is the network administered?
What is the task of the IPC?

Hello Bernhard,
the wiring and hardware are a given, nothing can be done about it and it has nothing to do with the topic.
If I could simply connect to the network, I would have no problem.

I’ve understood this situation. :wink:
But my thoughts were about the design of the system. IMO there should be an extra access for maintainance and administration.

Yes, that would make things easier.
I can’t even pull out a plug without an alarm going off.
The port is closed immediately and has to be released again by the service employee.
I’ve already been told off once for that.

Hi all,

if I may take the liberty to comment to this… :slight_smile:

Glad to hear IPFire being useful. :slight_smile:

As @bonnietwin already wrote, HTTP Basic Authentication is rather limited when it comes to logout functionality. It does not submit login credentials via a POST request, but via an HTTP header, though.
Since it is simple and pretty robust in terms of security - apart from possible vulnerabilities in Apache, there is little pre-authentication attack surface -, we would not want to change this unless desperately necessary.

@pic18f2550: Since you must not close your browser nor use a dedicated PC to administer IPFire, could Qubes OS be a solution? That way, you could have one browser instance running for IPFire, and another one in a different VM for the other application. The network won’t notice a difference, since the VM traffic is NATted to one IP address.

Just my two cents on this… :slight_smile:

Thanks, and best regards,
Peter Müller

1 Like