How to allow multiple logins

[AltF4]

I am sad to see that this didn't make it in the most recent minor builds. Hope it may come in the future?

 

[RMerlin]

I am sad to see that this didn't make it in the most recent minor builds. Hope it may come in the future?

Re-read my last response. This won't be happening.

 

[AltF4]

Re-read my last response. This won't be happening.

Not even a logout button?

 

[got_milk]

Not even a logout button?

Logout button for what? There's already a logout button in the UI.

 

[RMerlin]

Not even a logout button?

First paragraph of my reply:

The option to force an existing session to be logged out isn't doable without a LOT of work. Inactive sessions expire after 60 seconds, so just wait a minute and you should regain access to the router.

 

[AltF4]

I just thought you were talking about adding a logout other users button to the warning / information page.

 

[RMerlin]

I just thought you were talking about adding a logout other users button to the warning / information page.

That's correct.

There's already a Logout button at the top of the webui, so I don't see where else you'd want one.

 

[AltF4]

Then how do I access that page when I previously connected to the router from another computer?

- Thanks

 

[RMerlin]

Then how do I access that page when I previously connected to the router from another computer?

- Thanks

You really didn't read this post, did you?

 

[alk630]

The option to force an existing session to be logged out isn't doable without a LOT of work. Inactive sessions expire after 60 seconds, so just wait a minute and you should regain access to the router.

Concurrent logins won't be happening. If Asus specifically prevented these, then there must be a good reason. The backend was most likely never designed to handle multiple sessions.

What is classed as an 'inactive session' you say logs out after 60 seconds? I have several clients on my LAN, but if I forget and leave any one of them logged in on the router interface, the session never expires even after a few hours? Perhaps this is what AltF4 is confused about? I agree, it is annoying that you have to then find out which client is still logged in and then you have to go and manually log out of that client before being able to log in on another...

 

[RMerlin]

What is classed as an 'inactive session' you say logs out after 60 seconds? I have several clients on my LAN, but if I forget and leave any one of them logged in on the router interface, the session never expires even after a few hours? Perhaps this is what AltF4 is confused about? I agree, it is annoying that you have to then find out which client is still logged in and then you have to go and manually log out of that client before being able to log in on another...

If you leave the web browser open on another computer, then this would require a forced logoff link, which I can't implement.

If you close the browser on the other computer, then you will be able to open a new session after 60 seconds on another computer.

 

[alk630]

Thanks for clarifying

 

[AltF4]

If you leave the web browser open on another computer, then this would require a forced logoff link, which I can't implement.

If you close the browser on the other computer, then you will be able to open a new session after 60 seconds on another computer.

What happened to this?
"But I'll consider adding an option to force logging out any existing session, from the notification page."

Why cannot a button simply automate those nvram clearing commands?


I don't mind not having concurrent sessions (even though all Linksys, DD-WRT, Tomato, DLink, and Belkin router back ends do support it... shame on ASUS for not!). I just don't want to have to find the computer that has a browser tab open to the router somewhere which could be ANYWHERE. I may not even have remote access to the computer if it was someone else's. In which case I would be forced to either do nvram surgery, or completely bring down my entire network by rebooting my router.

It's such a small request (even just for ASUS to implement), but its incredibly annoying to not have, especially out of a $200 router. I hate it when software is so close to perfect, but have small caveats like this that drive me insane. Sorry to vent, but its beyond frustrating, as to why ASUS must be different.

 

[AltF4]

And yet, I am still messing up my router's nvram at times when trying to clear the login. This is beyond frustrating I must say.

Honestly, I am about ready to simply make this router an AP (connect it via a LAN cable to a new router) - Keep it for the good Wifi signal it provides, and simply purchase a Gigabit LAN router that I can DD-WRT with, because its simply ridiculous that I cannot have this function properly.

 

[Nerre]

I can't understand then need to log in so often with the web ui? The web ui is for configuration, that's why it's not designed for several concurrent users.

I log in to my router maybe 2-3 times a month at most.

And I'm from the "old school" where we shut down the web browser when leaving the computer, so there's never another computer logged in

 

[AltF4]

I can't understand then need to log in so often with the web ui? The web ui is for configuration, that's why it's not designed for several concurrent users.

I log in to my router maybe 2-3 times a month at most.

And I'm from the "old school" where we shut down the web browser when leaving the computer, so there's never another computer logged in

That may work for some, but not for geeks that use their router as a tool: WOL, client management, LAN and WAN statuses, logging, etc.

I would prefer to use the GUI on my iPhone than some kind if telnet or SSH via commands and scripts to accomplish something.

Hunting for the specific browser and tab using LogMeIn, RDP, or TeamViewer is not typically ideal when not at a keyboard and mouse. Would be easier to issue a reboot cmd over telnet or ssh by the time I find it. But then it's kicking off all my machines, and any people connected to the Wifi APs.

 

[AltF4]

If there was an easy way to iterate through the Chrome tabs, I would do it programmatically, through EnumWindows proc (and then in the Chrome console call logout() -- which would be executed remotely through a tool like PC Monitor), but the problem is that multiple chrome tabs belong to 1 window, so Win32 APIs won't help much.

I really just wish there was a button provided to us on the notification page . Really don't want to have to replace this $200 router with a more simple one, but I will if I have to. I am starting to enjoy TomatoUSB by Shibby, but I like the interface of this router (and its signal).

Please Merlin?

 

[RMerlin]

Since there seems to still be a lot of confusion and debate around this, let me go over the whole thing in detail, for one last time.

There are two things being discussed so far:

1) Ability to have multiple simultaneous logins
2) Ability to force logging out someone else


Ability to have multiple simultaneous logins:
Asus has specifically implemented code to ensure that only one user can be logged in the webui at one time. I am sure this was done for very good reasons, since it was a deliberate implementation, and not a bug or an accident.

The webui isn't just a bunch of static pages that get pushed to clients, and then the router receives a filled form. In some cases, the webui uses Ajax to talk back with the router while you are on the page. When you toggle between the 2.4 GHz and 5 GHz wifi settings, for example. Or when visiting the client list page. Therefore, it is important to ensure data integrity that only one person at a time talks back and forth with the router. Otherwise, the webserver backend would need to have some solid locking mechanisms in place. For instance, if you try to save your settings while nvram is locked for another operations, unpredictable things can happen.

Therefore, allowing multiple logins is something I don't want to implement, because it can lead to unpredictable behaviour, and settings corruption. Since stability has priority over additional features, this is the reason for my decision.

Ability to force logging someone else out
This is something I actually spent about two hours looking at. It's not realistically doable for the following reasons.

First, to be able to tell the router "Hey, log that other user out", you would have to be logged in yourself. Otherwise if you send a request to the router, it will simply say "Request denied, you have to be logged in for me to even listen to you, so here's the NoLogin page as my answer".

Second, it would be technically possible to implement a specific URL that would bypass authentication. Doing so however would mean that ANYONE would be able to kick any logged user, without any authentication. So picture this: you have your router configured with the web interface accessible over WAN. Someone decides to constantly access the "Kick that other user out" URL remotely. What's the end result? You will never be able to log into your router. This is best known as a "Denial of Service". You would be forced to unplug your WAN cable just to be able to access your router again. You can imagine how impractical this would be.

And thirdly: if you leave a browser window open on PC A, and you try to force logging it out from PC B, what will happen? A lot of pages will talk back with the router, requesting status updates, and so on. Within a few seconds, PC A will send another http request to the router, which will tell it "Need authentication". What will the web browser do on PC A? "Sure, here is my HTTP credentials". End result: within seconds, your PC A will be once again logged back into the router, and you are back to the same problem: PC B still locked out.

So on the forced logout link, this is something that I CAN'T implement. The whole authentication system would have to be redesigned just for this to be doable.


So there you go. The first one I won't implement because it compromises stability, the second I can't implement because it's not possible, in addition to being a major security hole.

Also bear in mind that you will be prevented from logging in ONLY if you actually leave another browser open. If you just closed a browser and forgot to click "Logout" first, or if your IP has changed, then just wait 60 secs. After 60 secs without hearing back from a client, the session will expire.

As far as I'm concerned, this debate is closed, since the reasons seem valid enough to support my decisions. If you still want to risk compromising your router's stability, then go ahead - fork the code, and remove ALL authentication-related code. Then, YOU deal with the support issues that you will receive in your mailbox when people see their router end up with corrupted settings, or some settings no longer get properly written back to the router.

 

[AltF4]

Since there seems to still be a lot of confusion and debate around this, let me go over the whole thing in detail, for one last time.

There are two things being discussed so far:

1) Ability to have multiple simultaneous logins
2) Ability to force logging out someone else


Ability to have multiple simultaneous logins:
Asus has specifically implemented code to ensure that only one user can be logged in the webui at one time. I am sure this was done for very good reasons, since it was a deliberate implementation, and not a bug or an accident.

The webui isn't just a bunch of static pages that get pushed to clients, and then the router receives a filled form. In some cases, the webui uses Ajax to talk back with the router while you are on the page. When you toggle between the 2.4 GHz and 5 GHz wifi settings, for example. Or when visiting the client list page. Therefore, it is important to ensure data integrity that only one person at a time talks back and forth with the router. Otherwise, the webserver backend would need to have some solid locking mechanisms in place. For instance, if you try to save your settings while nvram is locked for another operations, unpredictable things can happen.

Therefore, allowing multiple logins is something I don't want to implement, because it can lead to unpredictable behaviour, and settings corruption. Since stability has priority over additional features, this is the reason for my decision.

Ability to force logging someone else out
This is something I actually spent about two hours looking at. It's not realistically doable for the following reasons.

First, to be able to tell the router "Hey, log that other user out", you would have to be logged in yourself. Otherwise if you send a request to the router, it will simply say "Request denied, you have to be logged in for me to even listen to you, so here's the NoLogin page as my answer".

Second, it would be technically possible to implement a specific URL that would bypass authentication. Doing so however would mean that ANYONE would be able to kick any logged user, without any authentication. So picture this: you have your router configured with the web interface accessible over WAN. Someone decides to constantly access the "Kick that other user out" URL remotely. What's the end result? You will never be able to log into your router. This is best known as a "Denial of Service". You would be forced to unplug your WAN cable just to be able to access your router again. You can imagine how impractical this would be.

And thirdly: if you leave a browser window open on PC A, and you try to force logging it out from PC B, what will happen? A lot of pages will talk back with the router, requesting status updates, and so on. Within a few seconds, PC A will send another http request to the router, which will tell it "Need authentication". What will the web browser do on PC A? "Sure, here is my HTTP credentials". End result: within seconds, your PC A will be once again logged back into the router, and you are back to the same problem: PC B still locked out.

So on the forced logout link, this is something that I CAN'T implement. The whole authentication system would have to be redesigned just for this to be doable.


So there you go. The first one I won't implement because it compromises stability, the second I can't implement because it's not possible, in addition to being a major security hole.

Also bear in mind that you will be prevented from logging in ONLY if you actually leave another browser open. If you just closed a browser and forgot to click "Logout" first, or if your IP has changed, then just wait 60 secs. After 60 secs without hearing back from a client, the session will expire.

As far as I'm concerned, this debate is closed, since the reasons seem valid enough to support my decisions. If you still want to risk compromising your router's stability, then go ahead - fork the code, and remove ALL authentication-related code. Then, YOU deal with the support issues that you will receive in your mailbox when people see their router end up with corrupted settings, or some settings no longer get properly written back to the router.

Well, time to buy a new router. Seriously.
I do appreciate taking the time to explain this though.

I will go with the N66U but load it with Shibby's Tomato, I think.
I love the work you have done to make ASUSWRT a great product though. I do understand that it's not your fault that it does this, it is Asus' design decisions from the get-go.

In the future, could you possibly consider making a session expire after a set amount (can be optionally specified), such as 1 hour, instead of having the connection remain open indefinitely? I would appreciate that as a last resort kind of thing.

BTW, just curious, why couldn't the "request to logout" page be protected by a username and password to prevent a DoS attack?

Thanks again.

 

[hadesty]

Multiple logins issue

I think I was able to find a work around but seems to require a few tries. From your telnet/ssh session I pasted the following command (as stated ealier):
nvram unset login_ip_str
nvram unset login_timestamp
nvram unset login_ip

I then IMMEDIATELY went to my browser on my new https session on the new computer and refreshed the page. After a couple of logins prompts I seems to be fast enough to login with my new session.