Web authentication captive page

Firmware: SFOS 20.0.0 GA-Build222

Hey Akshay Hegde ,

Thank you for reaching out to the community, please refer the Captive portal basics.

Hi  Vivek,

I had gone through it. We're using Sign out user --> When user is inactive  settings.

After we close tab and re-open captive portal page why we're not getting signout button ? user is still active.

Expected: when user is already active as per sophos session table, signout / logout button should show when user re-visit captive portal page. ( In Authelia this happens which is expected behavior )

The current behavior has existed since the start of XG and the way it is intended to be used.

It is a security measure that the XG does not give any current login information to clients.  Without it, a computer could spoof their IP address and query the XG for each to find out which IPs are logged in and which are not.

Customers who use the "when inactive" typically have computers that have one user all the time and never change.  The only time that the computer becomes inactive is if is does something like disconnect from the network or go to sleep.

If you are frequently wanting to change users on a given device you should probably use "when captive portal page is closed or redirected".  This setting is typically used if you have computers anyone can log into, such as a school.

If this is an infrequent or one off, you can always log in again and then hit the log out button.  Annoying, I agree.

Hi Michael thanks for the clarification it convincing. One more query. 

If someone spoof IP which is already logged in.  Whether sophos having any mechanism to understand this ?  Session can be hijacked right ?

Scenario is when you have L3 routing. Sophos will not get user MAC address.

User <----> LAN  <----> L3 routing <----> Sophos <---> WAN

Hi Michael thanks for the clarification it convincing. One more query. 

If someone spoof IP which is already logged in.  Whether sophos having any mechanism to understand this ?  Session can be hijacked right ?

Scenario is when you have L3 routing. Sophos will not get user MAC address.

User <----> LAN  <----> L3 routing <----> Sophos <---> WAN

The XG maintains a list of what user is logged into what IP address, it does not not use MAC address.
Yes in theory spoofing where one computer appears as another (logged in) computer could occur.  However in practical terms it cannot because of the problems where two computers share the same IP address.  Moreover the impact is low.  The worst would be...  if you had a web policy that blocked Facebook but you knew that Jack down the hall had a different web policy that was allow all, you could spoof Jack's IP and not get blocked.  So you have issues of the wrong policy being applied and the wrong user appearing in reports, but you don't have any loss of security.  The reality is that most people who are bypassing web policy just use their phone connected directly to their cell phone company.