Jump to content
Welcome to our new Citrix community!

SameSite cookie configuration Citrix Gateway / Storefront


Jens Dellner

Recommended Posts

Hey Guys!
I am evaluating a good "SameSite" configuration for our Citrix Gateways.

 

1 . My first step was to fill the pattern set 'ns_cookies_samesite' with all known Citrix ADC Cookies:

- NSC_DLGE
- NSC_USER
- NSC_CERT
- NSC_TEMP
- NSC_PERS
- pwcount
- NSC_AAAC
- NSC_VPNERR
- NSC_TMAA
- NSC_TMAS
- NSC_SAMS

 

The next step was to set the Citrix Gateway SameSite Configuration to 'LAX'.

 

I opened the Citrix Gateway Website out of an E-mail (other Site) and logged in. I opened the Citrix Gateway Website from a new Tab and don´t need to log in any more. Everything works as expected.

 

My first thought is that it would be good if you can´t be logged in over cross-site, since there is no additional authentication to the applications and data while you are already logged in to Citrix Gateway. It´s a nice to have if a user can open an E-mail with the Citrix Gateway Website Link (other Site) and don´t need to log in any more if he opens the Website in a new Tab. That maybe doesn´t make any sence, but customers don´t work like we expect and use 100 different ways. Now i set the Citrix Gateway SameSite configuration to 'STRICT'.

I opened the Citrix Gateway Website out of an E-mail (other Site) and logged in. I opened the Citrix Gateway Website from a new Tab and don´t need to log in any more. I don´t see any applications. I think that does not work as expected. Shouldn´t all the cookies be ignored and the user only see the Citrix Gateway Loginpage?

 


2. I decided to set the Storefront Persistence Cookie to Lax, since it is not used for authentication purposes, but can be useful to get directed to the same storefront server, even if you access the storefront Load Balancer in different ways.

 


3. Which SameSite configuration do you use for the Cookies set by storefront?

 

https://<yourstorefront/gatewayURL>/Citrix/<yourstore>/Home/configuration
- ASP.NET_SessionId: SameSite=Lax (Default)
- CsrfToken: SameSite does not exist (Default)

 

https://<yourgatewayURL>/Citrix/<yourstore>/GatewayAuth/Login
- CtxsAuthId: SameSite does not exist (Default)

 

 

4. How do you handle the SameSite configuration in your Environment?

 

Thanks for your opinion!

 

Best regards,
Jens

Link to comment
Share on other sites

  • 4 months later...

Hi Jens I have an issue on cookie behaviour when a WebSite is in  IFRAME: typically a cross-site cookie issue.

I think I will set the cookie as  SameSite=None for all request coming from that frame.

But I cannot do it if I follow these instructions:

https://docs.citrix.com/en-us/netscaler-gateway/11-1/authentication-authorization/configure-samesite-attribute-for-citrix-gateway.html

 

Our NetScaler 11.1  does not have the option Samesite in GUI Interface in Global Settings > Change Global Settings >  Security.

I also don't know how to execute the instruction from command line.

It is suggested:

 

set vpn param VP1 -SameSite None
set aaa param VP1 -SameSite None

but the command line does not accept the instruction (what should I place instead of VP1?).

It does not recognize the  "-SameSite" paramter.

Do you know why?

Thanks in advance.

Carlo

 

 

 

Link to comment
Share on other sites

Good morning Carlo,

what kind of Website do you try to display in this iframe? Is it a Netscaler Gateway Site (VPN, ICA, AAA) or a regular Website behind a Virtual Server?

 

If it is a Netscaler Gateway Site, is it hosted on

- Netscaler 11.1: https://docs.citrix.com/en-us/netscaler/11-1/aaa-tm/configure-samesite-for-aaa-deployments.html

- Netscaler Gateway 11.1: https://docs.citrix.com/en-us/netscaler-gateway/11-1/authentication-authorization/configure-samesite-attribute-for-citrix-gateway.html

 

I could imagine, that you navigated to the wrong documentation. The GUI interfaces are a little bit different. That could be the point why you don´t find the global settings at this menu.

 

I think this is a documentation mistake. I cannot check this now but I think it should be:

SameSite at Virtual Server (where VP1 is the name of the virtual server):

- set vpn vserver VP1 -SameSite [ STRICT | LAX | None ]

- set aaa vserver VP1 -SameSite [ STRICT | LAX | None ]

 

SameSite at global level:

- set vpn param -SameSite [ STRICT | LAX | None ]

- set aaa param -SameSite [ STRICT | LAX | None ]

 

If it is a regular Website, what kind of cookie problem do you have?

- Is it an issue with cookie persistence? https://docs.citrix.com/en-us/netscaler/11-1/load-balancing/insert-cookie-attributes.html

- Is it an issue with a cookie set at the backend system: Build a rewrite action/policy to add the SameSite attribute to your cookie and bind it to your virtual server of the regular website. This could be with a regular expression to insert the attribute or you could rebuild your cookie and add the attribute. If you can show the value of the cookie, we can help you further to build the policy.

 

I hope this helps you a little bit.

 

Best regards,

Jens

Link to comment
Share on other sites

Hi Jens,

thankyou for your explanation.

 

We are using Citrix NetScaler Gateway for Load Balancing. No Virtual Server is configured in the Gateway. 

So I guess we should work in Global settings.

We use it only to get the requested website data (from one of the two servers in load balancing) and forward them to the clients.

I know that the load balancer uses a persistent cookie to decide on what Server the client is working on.

This is a cookie example:

NSC_MC_Qbui_Dmpve = ffffffffd7e70be445525d5f4f58455e445a4a423660

 

As you know, recently Chrome started to consider all cookies as SameSite=Lax  by default (if not specified).

So I'd like to add this directive.

I have already tried the syntax you suggest in command line:

set vpn param -SameSite [ STRICT | LAX | None ]

But it gives this error:

> set vpn param -SameSite None
                          ^^^^
ERROR: No such argument [-SameSite]

I have read the doc about cookie persistence, but we don't have the parameters: LiteralADCCookieAttribute  and ComputedADCCookieAttribute

so also these instructions don't work:

set lb parameter -LiteralADCCookieAttribute SameSite=None
                                              ^^^^^^^^^^^^^
ERROR: No such argument [-LiteralADCCookieAttribute]


set lb parameter -ComputedADCCookieAttribute SameSite
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^
No such argument [-ComputedADCCookieAttribute]

Maybe our LoadBalancer is configured differently?

Thankyou for your patience.

Carlo

 

 

 

 

Link to comment
Share on other sites

  • 2 weeks later...

Hi Carlo,

sorry for the late response. The SameSite Parameter was introduced in 11.1 64.11. Can you please verify, that your firmware is equal or greater than 64.11? Otherwise you first need to update your firmware. 

 

I am not familiar with the Netscaler Gateway Edition, so its not easy to help you further. I would appreciate if you open a new thread , since it is a complete different topic as covered in the first post. So this thread can be used to discusse the general use of the SameSite Parameter regarding different ADC/Storefront Cookies.

 

Best regards,
Jens

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...