When troubleshooting a captive portal issue, which POST parameter in the redirected HTTPS request can...

In FortiGate captive portal workflows (local or external):

Client connects to SSID / interface that has captive portal enabled.

Client makes an HTTP/HTTPS request.

FortiGate intercepts and redirects to alogin page(local or external URL).

The portal form is submitted viaPOSTback to FortiGate.

To prevent tampering and to tie the POST back to thecorrect user session, FortiGate includes a special hidden parameter in the redirect and expects it in the POST:

The parameter is namedmagic.

The magic value:

Is aunique tokengenerated per captive-portal session.

Encodes/session-links the user’s IP, interface, and session info.

Allows FortiGate to ensure that:

The POST comes from the user who initiated the original request.

The request is not a random or replayed submission.

When troubleshooting:

If the external portal does notpreserve and resendthe magic parameter back to FortiGate exactly as received, authentication fails, and you’ll see errors like “session not found” or “invalid magic”.

Why the other fields are not used for this purpose

A. username– Just the login ID; multiple users can use the same username from different locations, so it can’t uniquely track the browser session.

B. redir– Contains the URL the user originally requested, so they can be sent back there after login. It is not a session integrity token.

D. email– Optional field used in some guest/registration flows; irrelevant to session validation.