[smashed]

I've been there. I can relate to everything you said!

The DHCP standard was such a waste of time. Ignore it completely, no client support whatsoever.

Intercepting all plain HTTP traffic (just drop https) and responding with a 30x redirect to your captive portal web page seems to be the ad-hoc "standard". Your captive portal domain can be served under secured HTTPS just fine.

I fully agree with the sandboxed browsers pain and absolute impossibility to get a nice consistent UX across platforms.

[lukeboi]

Totally agree. Like you said the method we converged on is to just redirect DNS requests + 303 users depending on if they’ve gotten through the portal yet. It seems to work fine. What’s most frustrating is that most off-the-shelf FOSS dns programs don’t let you do DNS redirects on a per-mac basis, leading us to in-house a decent amount of DNS code.