Jump to content
Welcome to our new Citrix community!

different values for cookie persistence


Recommended Posts

Hi guys,

 

I'm wondering what happens to the sessions which comes to the Netscaler with different cookie value than saved for CookieInsert Persistence.

 

Lets imagine 2 scenarios:

 

1. We are having the CookieInsert Persistence configured and the timeout is set to 30 minutes. Netscaler sets the cookie for all the next HTTP requests in the same session. What if within the configured timeout the server to which the first connection was made will be removed? Will Netscaler choose a different server (based on the LB method) and override the cookie value for that old session for the next requests?

 

2. We are not using encryption for Persistence Cookies, but what if we change it to use the encrypted cookies after receiving the first HTTP request for specific session? The next request in the same session/during the configured timeout will come with the unencrypted value whereas Netscaler will try to match it against the encrypted values. Will Netscaler reject such requests until the timeout expires or will assign a new encrypted value for the cookie and send the traffic to the server based on the LB method?

 

 

Link to comment
Share on other sites

Question 1: if the server for which the cookie persistence is set for is removed or fails (goes down) before the persistence expiration, the cookie persistence is ignored and a new load balancing decision is made.  You can see this in the admin guide (not under cookie persistence but the "about persistence" setting.).  Also, if the destination is "out of service" such as at max threshold, existing persistence sessions are honored meaning the cookie will still work, but new requests will not be sent here and when the current persistent sessions expire they won't go to the service until it is back in service.  (Basically, same behavior for any persistence setting, not just cookies.):  https://docs.citrix.com/en-us/citrix-adc/13/load-balancing/load-balancing-persistence/persistence.html

 

Question 2:  I *think* that changing from encrypted:off to on is the same as changing persistence method on the vserver and the old value is discarded and a new persistence is implemented. But I would recommend testing to be sure. I can look tomorrow if someone can't confirm this right off.

Link to comment
Share on other sites

Hi Rhonda,

thank you for your answer.

 

I have checked it today and I see that I'm getting the same unencrypted Cookie for already running session, even if I change to encrypt the Cookie.

Only if I close the browser (Cookie timeout set to 0) and open it again I'm getting the new encrypted Cookie.

 

What is worth to mention, even with the old unencrypted cookie I'm still directed to the same server. But I was testing it with only my connection running, so I cannot be sure if the old cookie value still works for Persistence or it was just a fortune with the LB method that I landed at the same server.

Link to comment
Share on other sites

Just to clarify for scenario 2, were you  referring to the "enable persistence secure cookie" setting in the global http parameters and not some other setting?

If its the one I listed, I was wrong and changing its value doesn't change your persistence decision just whether the cookie gets the "secure" flag when over ssl.  

 

If you are talking about the "encode persistence cookie values" under the LB parameters to encrypt the cookie, then going from OFF to ON does not seem to change the lb decision. Going from ON to OFF, resets the lb decision in my limited testing.

 

Link to comment
Share on other sites

Hi Rhonda,

 

yes, I was talking about the encryption of persistence cookie configured under the LB parameters.

 

I got the same results for going from OFF to ON... but I'm wondering, if this was an old unencrypted cookie value which is still used or by any luck the LB method sent next request to the same backend server. (I have to check this again tomorrow)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...