How to create WiFi popup login page

Question

When I go to a place with a WiFi hotspot (such as Panera Bread) and connect with my iPhone, the hotspot login page appears as a popup. That is, no matter what app I'm running or what web page I'm on, the login page scrolls up from the bottom, asks for my login credentials, and then disappears.

But at some other hotspots, I don't get the login page until I go to Safari and try to load a web page.

What is the iPhone looking for that causes it to pop up the login page at some hotspots and not others? Is there a special HTML meta tag? Or is it related to the way the redirect is implemented?

score 36 · Accepted Answer · edited May 23 '17 at 12:00

36

I managed to find out the correct term for this authentication type: "Captive portal". Punching in Captive Portal iPhone into Google turned out a few technical details from these pages: one, two, three.

To implement a Wi-Fi popup login page:

DNS request for www.apple.com must not fail
HTTP request for http://www.apple.com/library/test/success.html with special user agent CaptiveNetworkSupport/1.0 wispr must not return Success.

I have not tested this, but it sounds about right.

Comments below mention that iOS 7 behaves differently and may query more than one server. I have not tested this. So easiest would be to simply redirect all HTTP communication to your login page, and block all non-HTTP communication.

Microsoft's captive portal detection uses something similar to pre-iOS7 behavior: its Network Connectivity Status Indicator attempts to contact http://www.msftncsi.com. Windows 8 and 8.1 also include support for WISPr.

Android's captive portal detection, as of AOSP 4.0.1, tries to contact http://clients3.google.com/generate_204 or http://www.google.com/blank.html.

So to be as universal as possible, you'll want to simply block all communication except for authentication, and include WISPr support on the login page.

I'd say "go with a proper authentication on your network" -- something universal such as PEAP+MSCHAPv2 -- but Windows makes it very painful for your users to set it up. I don't know who thought that "Use your Windows authentication details" makes a sane default on machines that are not part of a corporate domain network, or even why "Check certificate validity" is a sane default, as most networks will not consider getting a proper certificate a priority.

edited May 23 '17 at 12:00

Community

1
1

answered Sep 12 '10 at 17:22

Ivan Vučica

9,315
7
57
109

Good work! I'll accept your answer, even though I don't have the resources to try it out yet. – Barry Brown Sep 13 '10 at 04:25
1

Here's an interesting article that goes into more detail: http://erratasec.blogspot.com/2010/09/apples-secret-wispr-request.html – Aaron Brager May 06 '13 at 21:11
ios7 doesn't use the following url anymore: http://www.apple.com/library/test/success.html. it was replaced by an url on www.ibook.info (http://www.ibook.info/). – sailor Aug 22 '13 at 15:29
2

@sailor Only partly correct. In IOS7 apple has gone from testing one single page, to more than 200 random sites to see if wifi is open or not. You now need to test for User Agent and not URL. – Jotne Jan 06 '14 at 06:51
Just wanna add that from Android 5.0.2 on the host has part changed from clients3.google.com to connectivitycheck.android.com. The rest of the URL stayed the same. – bk138 Apr 23 '15 at 16:13
@IvanVučica Hey, sorry for bringing it up/back. I m very interested in it. You say: "So easiest would be to simply redirect all HTTP communication to your login page, and block all non-HTTP communication." But how to force open the browser ? Im looking for opening browser, simply, when connecting to the HotSpot AdHoc Wifi of my linux machine. -------- well time has passed, things have changed. How to manage ot now ? – 3pic Jun 29 '15 at 14:45
@3pic You don't. Mobile operating systems currently bring up either a notification (Android), or a drop-down fake 'browser' (iOS). On desktop OSes, users who visit an HTTP page will get redirected. That's it. – Ivan Vučica Jun 29 '15 at 16:16
@IvanVučica Thanks. Im aware if what you say. On desktop OSes, however, nope, they open a 50%height-50%width window... So, ok, OSes manage this by themselves... right. But how to make a real captive garden ? I made my linux, It is a hotspot, totally local. No WWW connexion. But no popup appears... – 3pic Jun 29 '15 at 16:21
@3pic I'm sorry, I can't provide more guidance than stated in the answer. – Ivan Vučica Jun 29 '15 at 16:23
"DNS request for www.apple.com must not fail" : are you 100% sure ??? Is it really needed. I think you invert the matter. If Mac OS does not get Succes in reaching its Url-check, it concludes "i am trapped" and displays the fake-browser popup. – 3pic Jul 02 '15 at 09:38
@3pic Is that truly so shocking to warrant three question marks? Would you want the pop-up to appear when connecting to a network without connectivity? Think about it: it makes sense that it appears if unexpected content or redirect is served, not if connectivity is down or if the network is internal and intentionally not connected. But to answer if I am 100% sure: definitely not. Please investigate yourself. – Ivan Vučica Jul 02 '15 at 09:51
@IvanVučica that's the answer. Shocking or not... Think of a hotspot with another goal : providing access to local web, not for public surf. My case : we provide historical information in french castels. You connect the wifi and get a page about the tower you are in ... very big castels. I dont need to connect the WWW... well ok captive portal seems to be understood as "captive for a while before surfing the www"... finally a temporary walled garden. – 3pic Jul 02 '15 at 09:55
I don't understand what is the problem and why you would not just have your DNS server serve the same A-type response for any query, even nonexistent domains. As I cannot provide further information, I will not be replying further here. – Ivan Vučica Jul 02 '15 at 10:04
Thanks a lot anyway. We dont understand each others. I do have my DNS server serve the same A-type response for any query... anyway. I misunterstood "**DNS** request for www.apple.com must not fail". It does not, allright.Croatia FTW – 3pic Jul 02 '15 at 10:08
Now all my http request are redirected to a locale webpage. Zero access to the WWW. DNS request for www.apple.com does not fail HTTP request for http://www.apple.com/library/test/success.html does not return Success. And NO WebSheet/PopUp . – 3pic Jul 07 '15 at 14:13
"with special user agent CaptiveNetworkSupport/1.0 wispr "...seems to play a part of the game. – 3pic Jul 07 '15 at 14:14

score 1 · Answer 2 · answered Sep 19 '12 at 19:16

iOS 6 has apparently fixed WPA2 EAP as it's suddenly popping the login window now.

Our companies public WiFi requires accepting the terms regarding monitoring, etc. I always had to manually open Safari on iPhone or iPad and navigate somewhere, it redirects to an internal acceptance page and when you clicked the Accept button it would go where you originally were headed.

Today, I updated to iOS 6 and was plesantly surprised to see the Login window slide up from the bottom and allow me to click the Accept button without even opening Safari.

score -4 · Answer 3 · answered Sep 01 '10 at 08:15

-4

I suspect that when the login page pops up the Wi-Fi is using EAP. This is a Wi-Fi protocol for authentication. In the case where you need to go to a web page then the authentication will be a custom access implemented by a server (i.e. at a higher level than EAP).

answered Sep 01 '10 at 08:15

RichB

118
3

2

Incorrect. I have seen this on one hotspot as well; it's not the typical EAP login dialog. A HTML page is displayed requiring login. It does not seem to even require the request to be via HTTP. The current application is overlaid with the login web page. – Ivan Vučica Sep 12 '10 at 17:15

How to create WiFi popup login page

3 Answers3

Linked

Related