Jump to content
Welcome to our new Citrix community!

Citrix ADC - Citrix Gateway - Login Schema Cancel Button - Unset http.req.cookie.value for exiting manageotp

Recommended Posts

In order to improve the user experience, I have been trying to find a way to "Cancel" buttons to the various nFactorPortalTheme Custom Schema Files.  The reason for this is that I've found using the standard "nFactor Flow" which includes Native OTP we have an issue with the initial check with Expression:



If a user uses this URL with the "manageotp" then the only way to stop being in a Manage OTP state is to ensure all cache & cookies are cleared or log into the Manage OTP.  In our situation we have setup checks where if the user is not in a special Remote User and Manage My OTP Security Groups then they must have never setup a OTP Device (by the LDAP Search filter ensuring userParameters is NOT set). 


I found a resource here that has a method from Michael Shuster: https://www.ferroquesystems.com/resource/howto-create-a-citrix-adc-nfactor-custom-label-cancel-or-logoff-button/

This method entails updating the script.js in your /var/netscaler/logon/themes/<YOUR_THEME>/ path (in our case /var/netscaler/logon/themes/nFactorPortalTheme/).  Then to add the button to each XML of your loginschema files in (/flash/nsconfig/loginschema/) to have special "Cancel" button entries that the jQuery will update.


The problem I'm having with this method is it attempts to setup the Cancel onClick events to direct to "/cgi/tmlogout" which almost works, but not quite.  What I have found is this does not actually perform what you would think would be a Full Log Off event call by also cleaning up any Cookies.  So if the user had been in "manageotp" they then are still stuck in "manageotp" as the http.req.cookie.value("NSC_TASS").contains("manageotp") has not been cleared.  Another reason for wanting a "Cancel" that truly clears settings is we have also seen issues where cache/cookies appear to be left behind from previous sessions that may have timed out and the users experience issues logging in.  It would be helpful to have some way to ensuring a fresh session without any stale values.


It also seems a bit strange that in possibly all the Schema XML files there are <CancelPosBack/><CancelButtonText/> elements but I have not found a built-in method of adding a "Cancel" button in any Examples or existing Login Schema XML files.


Link to comment
Share on other sites

Morten could you please elaborate on what you are calling the "Responder Policy" as I tested simply updating to use the "/logmeout" that still does not clear the NSC_TASS from containing the "manageotp" value.  I'm not sure if you are referring to a method in the nFactor Flow Policy of setting the Expression to clear the http.req.cookie.value("NSC_TASS").value or what?

I'll admit, I'm still figuring out the Policy Expression Syntax as a simple IF THEN would be useful if I could have it clear the value.



Link to comment
Share on other sites

  • 2 months later...

Hi (again) Jeff ?


I'm a bit late to the party, but what I think Morten refers to here is just a simple responder policy that evaluates for that /logmeout path and has a redirect action associated with it which sends you back to the initial FQDN of your Gateway/Authentication vServer. This should reset the TASS cookie value and allow the user to login without being put in the manageotp flow.


Alternatively, what I found is that it can be easier sometimes to just have a seperate subdomain for otp registration (so e.g. otp.yourdomain.com) which then redirects to /manageotp. Not sure of course if this is easily integrated in your current setup or even a good idea for your environment, but it works well for us like this.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...