Force users to login before they use internet

hiprakhar · April 3, 2010

Hi,

I am making a project for my college for Lab maintenance. In this I have to keep track of students using the computers in the internet lab.

For this I have made a php based web application (running on localhost in the lab). In this the students will be allotted a particular system when they enter their credentials. They have to go and sit on that particular system to access the internet. Before leaving the lab they also have to logout to disengage the computer to be available for use to another student.

This can be taken as a simple register kept at the door of the entrance where people have to fill their details and enter. I AM NOT USING WINDOWS SERVER AND THIS IS NOT A DESKTOP BASED APPLICATION.

The big flaw is that the student can still sit on the internet computer without entry. Or they can sit on another computer different from the one allotted.

The sample is available: www.prakhargoel.com/projects/lms Use "0710040" as username and "hello" as password. The admin panel is available at: www.prakhargoel.com/projects/lms/labadmin Use "hello" "hello"

What is desired now

Because of this big flaw It would be gr8 that whenever someone sits on any computer and tries to open any site, they should be redirected to the login page and forced to login. Without which the internet will not work. The system number can be tracked using the ip address we put like: 192.168.1.56 etc.

The internet will work only for the time the student is logged in. When they logout the internet should again stop working.

Please suggest what should I do to make this happen...

ignace · April 3, 2010

Install Apache as a service and create a new VirtualHost (http://httpd.apache.org/docs/2.2/mod/core.html#virtualhost)

This will catch all traffic going through port 80 direct it to your application:

DocumentRoot /var/www/..

</VirtualHost>

Check if they have valid login credentials if not show the login form if successful load the website (file_get_contents() presumably do not use header() as it will create an infinite loop)

hiprakhar · April 21, 2010

Hi,

I am trying to apply virtual host to make students force to login before accessing internet. I tried but there were some problems with the sessions when using virtual host.

Moreover, with virtual host I have to do something such that redirection takes place to the login page if user visits any sit without login.

I need a very simple solution. The problem is that I simply dont want anyone to be able to open any website without logging into a php mysql based system. Now I have a couple of fancy ideas:

1) Use VirtualHost, with some more understanding to how it works

2) We are behind proxy walls. So we can do something like initially all browser connection settings are configured wrong. Then upon successful login, right settings are configured using javascript or some combination of batch files triggered by javascript. After logout, the settings are again configured wrong.

3)Windows doesnt boot or some necessary files are not loaded unless someone logins on the php-mysql login page.

We need anything just to make sure the user is not accessing internet without login. We dont need to anything hifi like analysing traffic data etc.

We *dont* need to care about:

1) What sites user is surfing

2) how long he would be there

The best solution that I think is something where this php-mysql system can keep track of the logged in ips. If they ip from where the request for google.com or any page is coming is logged in, kudos, go ahead and access internet. Else back to square one and you are redirected to login page.

We cant use proxy things for that as that is completely a separate department.

The structure of the lab is very simple. We have about 100 computers in the lab all connected on LAN. The IP address is something like 192.168.0.3,4,5,...100

One of the computer in the lab is made the server where mysql and apache are installed. Rest all computers simply go to 192.168.0.36/lms (36 is the computer no of server and lms is the folder inside which the login files are located)

please someone suggest a cool idea with implementation level details.

Zane · April 21, 2010

If you want to restrict access to the internet, you have to start at the source... the modem.

Whether you have dial-up, DSL, cable or T1; there is a modem somewhere that directs "the internet" everywhere on your network. This is where you would set up your restrictions. If your modem has built-in firewall features then great.. use them. block the main ports for the internet and direct it to another computer on the network that hosts your "Login Screen webpage"

You could use the worst POS computer you got for it too. So long as it hosts a webserver and a database. Once they're logged in.. redirect them to another computer that is allowed internet access.. AKA a proxy server.

Keep in mind though, I'm no networking specialist or security engineer so... if all that sounds vague, forgive me. But in my mind.. that's how it would all work.

hiprakhar · April 21, 2010

@Zanus

Thanks for suggesting the idea. Please provide more implementation level details. We dont have modems here, we have hubs connecting systems together and the main fiber leading to the proxy server where the data is routed back and forth from internet. The login screen is given here http://prakhargoel.com/projects/lms/ you can login using

hiprakhar · April 22, 2010

@Zanus

Thanks for suggesting the idea. Please provide more implementation level details. We dont have modems here, we have hubs connecting systems together and the main fiber leads to the proxy server where the data is routed back and forth from internet. The login screen is given here http://prakhargoel.com/projects/lms/ you can login using student number as "0710040" and password as "demo". The corresponding labadmin panel is at http://prakhargoel.com/projects/lms/labadmin/ Login here with "demo" and "demo"

Now we simply need to do something such that the student is compelled to see this login screen before opening any page on the internet.

Please help with implementation level details. Also suggest if my ideas in the previous post were feasible or are they just fancy imaginations...

Zane · April 22, 2010

Here's something I pulled up after a Google or two

http://www.sustworks.com/site/prod_ipnrx_help/html/InboundPortMappingHelp.html

We dont have modems here, we have hubs connecting systems together and the main fiber leads to the proxy server where the data is routed back and forth from internet

Well, where this main fiber is going..is your modem. You have to have a modem or else.. how are you even getting internet? If it's like you said and there is no modem then you're obviously getting your internet from another source not mentioned. Seeing as how the modem is where you enter your username and password for the Internet you or your company has paid for.

Something needs to be done to the Routing Table.. I'm not exactly sure what it is, but that's where you need to be looking. Whether you're using a modem or not.

JonnoTheDev · April 22, 2010

The simplest answer is to just setup a proxy server that sits between the network computers and the router. Point all the machines at the proxy server for their gateway traffic. You can setup the proxy server to require a username & password before allowing http traffic through. The server can also provide realtime traffic and usage statistics per user. There are loads of proxies to choose from.

hiprakhar · April 22, 2010

Hi Friends!

Thanks for the replies.

@Zanus. We are discussing a college scenario here. The internet functioning is explained below:

A leased line is issued from an ISP. It comes into a windows server. The output from this server's LAN port goes into a switch with 16 extension, each extending into various departments like internet labs, cafeteria, hostels, several offices etc. The wire that comes into internet lab, again goes into a switch with 128 extensions, each entering individual client machine (student).

The proxies are setup in the windows server. Now we DO NOT HAVE ANY CONTROL ON THIS WINDOWS SERVER. This is another department. We have all the control over the stuff inside internet lab.

One possible thing that we can do is setup another proxy server in the internet lab. Wanted to ask you that we have low configuration machine (server) for that. 1GB Ram, Core2Duo and 250GB HDD. Is that sufficient? Just for handling the proxies. NOTHING ELSE.

Please provide implementation level details how to go ahead with this plan. Please do visit http://prakhargoel.com/projects/lms/ you can login using student number as "0710040" and password as "demo". The corresponding labadmin panel is at http://prakhargoel.com/projects/lms/labadmin/ Login here with "demo" and "demo"

Help..

JonnoTheDev · April 22, 2010

Of course. It does not have to be a poweful machine as it is just routing traffic. Get a copy of linux on it. I would use Squid proxy.

hiprakhar · April 22, 2010

Thanks Neil.

Awkwardly, I am a windows guy, so I have little idea about Linux and Squid. It would be nice of you Neil if you could give some more info about this / pass on some internet pointers. Can the proxies be done on windows server also? Like in the main computer as I described above.

Also tell how after setting up the proxy I can make http://prakhargoel.com/projects/lms/ php mysql system gel with it. I simply need that the proxy should verify who is logged in using this http://prakhargoel.com/projects/lms/ login system (No separate login system after setting up proxy). And only logged in ppl are able to access the internet. Otherwise redirect to square one... the login screen.

How is this part done.

andrewgauger · April 22, 2010

Windows server 2003, IIS, and RRaS can do what you need. ISA is microsoft's product for what you are talking about but then you would need a different implementation for authentication (unless you could use domain authentication). No where in this solution uses PHP so I am afraid of recommending it on this board. This is probably how the server is already set up. You will need your own proxy between the lab and the server if you have no access to the server. This computer will at the least need 2 NICs and SQUID. Now is a GREAT time to play with Linux. Do not try to throw a proxy software onto this box! Microsoft has too much code containment in their operating systems and the software spends too much time trying to fight with the OS to work. Get Squiddy with it!

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Mysql

hiprakhar · April 22, 2010

Hi andrewgauger

Thanks for the reply.

Windows server 2003, IIS, and RRaS can do what you need. ISA is microsoft's product for what you are talking about but then you would need a different implementation for authentication (unless you could use domain authentication). No where in this solution uses PHP so I am afraid of recommending it on this board.

I could not understand the first 2 lines of your post. Probably what you mean is that I can do what I want to do with Microsoft but its not the best idea because php mysql combo wont work. (is that what you mean?)

This is probably how the server is already set up. You will need your own proxy between the lab and the server if you have no access to the server. This computer will at the least need 2 NICs and SQUID. Now is a GREAT time to play with Linux. Do not try to throw a proxy software onto this box! Microsoft has too much code containment in their operating systems and the software spends too much time trying to fight with the OS to work. Get Squiddy with it!

Great! So I will install Ubuntu (is it fine?) on a core2Duo, 1GB ram computer and run Squid on it. This will work as proxy server in the internet lab itself. Such that all the computers will negotiate with this server before accessing the internet (right?). This machine WILL have 2 NICs. Your example clearly shows how MYSQL is used for logging ips. I will bind it with my php mysql solution (Thanks!!).

If possible, guide on the Squid and Ubuntu thing... how to get going with it. You are right, I will have to play with Linux to get going at the first place...

Do not try to throw a proxy software onto this box! Microsoft has too much code containment in their operating systems and the software spends too much time trying to fight with the OS to work. Get Squiddy with it!

What is meant by that? which box do you refer to in "onto this box" Is it Microsoft or Linux. Well Squid does have a Windows instance. Should I go with that or stick to the Linux Squid combo.

hiprakhar · April 22, 2010

Please do visit http://prakhargoel.com/projects/lms/

This is the login authentication system that I have prepared as part of my college project. I cannot afford to start from scratch and loose the legacy of hours of labor.

So please suggest solutions keeping in mind this page. You can login using student number as "0710040" and password as "demo".

The corresponding labadmin panel is at http://prakhargoel.com/projects/lms/labadmin/ Login here with "demo" and "demo"

hiprakhar · April 22, 2010

Hi

With respect to the example suggested by@andrewgauger http://wiki.squid-cache.org/ConfigExamples/Authenticate/Mysql

Let me explain the requirements of the internet:

1) The student comes and sits on a computer.

2) Type www.google.com in address bar

3) The proxy server checks if the xyz ip (from where request is coming) is logged or not.

4) if its logged then it fetches www.google.com

5) If the ip is not logged then it redirects to 192.168.0.36/lms/index.php

6) So the unlogged student is forced to view 192.168.0.36/lms/index.php by typing www.google.com (or any other url)

I am very new to Squid and Linux. Can I make the SQUID work the way suggested above?! That would be great!!! Suggest help on these lines.

Once again thanks @andrewgauger for the example.

andrewgauger · April 23, 2010

PHP on Windows doesn't work well, nor MySQL, nor Proxy. These are just better suited for a Linux box. Sorry for rambling on my initial post, I kept navigating away and apparently the thought wasn't as coherent as it was in my mind.

The truth is what you are looking for is a "captive portal solution", not Squid. Sorry, I was really getting into the idea of discussing squid, but it isn't the best solution here. I have been to your student portal, and it did work. I think the single sign on will be the toughest part of the implementation--but well worth it. The student should be able to login to your portal and be able to route to the internet. There is going to have to be some sort of integration with your sessions/database to the captive portal.

http://www.chillispot.info/

http://www.personaltelco.net/PortalSoftware A massive list of Captive Portals

http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal - probably your best bet, it describes how someone built their own Linux box that acts as a firewall and uses ip tables to determine if the traffic should forward. It is exactly what you are asking for (except the difficulty level is about a 6 for Linux, but worth the struggle).

EVERY implementation I have found for captive portals are Linux based, but you might be able to find one elsewhere. Essentially, what you will need to do is on login, capture the IP address of the computer and add it to a table in MySQL that will designate the traffic as route enabled. The Linux box will need to be between the Windows server and the lab. If you have no experience in Linux, give it a go with Ubuntu, although you should upgrade to 10.4 when it comes out, because it will be wicked. The example is for Debian http://polishlinux.org/choose/comparison/?distro1=Ubuntu&distro2=Debian and you may just want to follow the step by step directions http://www.andybev.com/index.php/Setting_up_a_captive_portal_from_scratch_using_Debian.

Good luck.

Zane · April 23, 2010

The wire that comes into internet lab, again goes into a switch with 128 extensions, each entering individual client machine (student).

Well, then this is the wire you could essentially call "The Internet"... since you're only working with the internet lab... right?

You could hook this wire to another Windows Server instead of a switch (or linux server) and have it fullfill the switch... making it a Window Server "router"... so to speak.

andrewgauger · April 23, 2010

The wire that comes into internet lab, again goes into a switch with 128 extensions, each entering individual client machine (student).

Well, then this is the wire you could essentially call "The Internet"... since you're only working with the internet lab... right?

You could hook this wire to another Windows Server instead of a switch (or linux server) and have it fullfill the switch... making it a Window Server "router"... so to speak.

Yep, you are going to need to implement software emulated routing.

Zane · April 24, 2010

To quote andrewgauger, yes.. You will need to emulate a router. If not, then just use a regular router.

"The Wire" I mentioned would go into the uplink of this router.. and you will then need to have an output wire go back to the switch you mentioned before (with the 128 extensions)

That's TWO wires. One of which you already have, so using 1 more wire and a router/emulation. You should be a few steps closer to your login implementation goal.

hiprakhar · August 6, 2010

PHP on Windows doesn't work well, nor MySQL, nor Proxy. These are just better suited for a Linux box. Sorry for rambling on my initial post, I kept navigating away and apparently the thought wasn't as coherent as it was in my mind.

The truth is what you are looking for is a "captive portal solution", not Squid. Sorry, I was really getting into the idea of discussing squid, but it isn't the best solution here. I have been to your student portal, and it did work. I think the single sign on will be the toughest part of the implementation--but well worth it. The student should be able to login to your portal and be able to route to the internet. There is going to have to be some sort of integration with your sessions/database to the captive portal.

http://www.chillispot.info/

http://www.personaltelco.net/PortalSoftware A massive list of Captive Portals

http://www.andybev.com/index.php/Using_iptables_and_PHP_to_create_a_captive_portal - probably your best bet, it describes how someone built their own Linux box that acts as a firewall and uses ip tables to determine if the traffic should forward. It is exactly what you are asking for (except the difficulty level is about a 6 for Linux, but worth the struggle).

EVERY implementation I have found for captive portals are Linux based, but you might be able to find one elsewhere. Essentially, what you will need to do is on login, capture the IP address of the computer and add it to a table in MySQL that will designate the traffic as route enabled. The Linux box will need to be between the Windows server and the lab. If you have no experience in Linux, give it a go with Ubuntu, although you should upgrade to 10.4 when it comes out, because it will be wicked. The example is for Debian http://polishlinux.org/choose/comparison/?distro1=Ubuntu&distro2=Debian and you may just want to follow the step by step directions http://www.andybev.com/index.php/Setting_up_a_captive_portal_from_scratch_using_Debian.

Good luck.

Hello andrewgauger!

Sorry for the late reply. Was off board for the past few months. Thanks for the nice suggestion about captive portals. I have:

1) Installed ubuntu fresh version

2) apt-get all utilities required like apache, php5, mysql and phpmyadmin

3) Now I am going towards building the captive portal flat.

I am using your pointer: http://www.andybev.com/index.php/Setting_up_a_captive_portal_from_scratch_using_Debian (Thanks for the link!). But here, the description is too specific. Like "Speedtouch firmware" etc. Can you please provide me some more pointers to the captive portals? Most of the CP I checked out on the Internet are for wi-fi. However I need it for LAN.

I need it simple- Create captive portal > test it using a sample php-mysql login page and ip tables > deploy my own php solution that you said you tested.

ps: I really appreciate your help for leading me to the right direction! I always want to add nice people my network where we can share part of our gray matter and spread sunshine. I would love to be your friend. Please drop me an email at hiprakhar @ gmail . com or give me your email id or drop me a PM.

Sign In

Force users to login before they use internet

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information