Hi
I have customized login.html display the terms and condition (T&C) and have a checkbox for the user to agree to the T&C.
For the username, I have made it use the MAC and a hidden field:
<input type="hidden" name="username" value="$(mac)">
The Hotspot is free to users and Radius is used to limit the user to X session time.
All works well, but there is a security flaw. Using Firefox I can see the browser submitting the username field to the login servlet, so when the user has reached the free session limit, the user can manually post to the servlet (eg using curl), modifying the MAC address and get another free session.
I know the user can spoof the MAC address, but I am trying to prevent spoofing at the HTML/servlet level.
Can anyone tell me how I can solve this issue? Is there perhaps an event that can be generated before the login, which I can validate the username variable is actually the MAC, and proceed to login if true else reject the login?
The only event I can see is the on-login, and the worst case I can do a post login check and log the user out. How do I logout the user from the script? I have tried the below but obviously it does not work because the \tool fetch command will not know which session to log out.
:local freeuser [/ip hotspot active find user=$user];
:local freemac [/ip hotspot active get $freeuser mac-address];
:if ( $user = $freemac) do={
:log info ("valid user");
} else {
:log info ("invalid user");
/tool fetch url="http://<router_address>/logout" mode=http ;
}
Regards
Keith