Jump to content
Welcome to our new Citrix community!

For CitrixBleed, under what conditions do AAA sessions survive a reboot?


Recommended Posts

I thought that cookies needed to live on the client and the netscaler in order to work. Under what HA conditions are the cookies shared? I'm guessing Clustering and Connection Mirroring, maybe Session Reliability. Are they shared under a normal HA scenario?

And in a HA scenario where they are shared, where do you need to clear them? On all nodes? Just the primary? The secondary?

The commands are in the latest advisory but when and where to use them isn't, so some guidance around this would be great.

Link to comment
Share on other sites

Hi Mike, There is a session variable which the NetScaler uses to tie an inbound request to a successful authentication. In a HA scenario, this session information is shared with the HA partner so that in the event of a HA Failover where the secondary appliance becomes primary, the users requests will still be recognised as being authenticated. If this were not the case then after a HA failover, every single user would be forced to re-authenticate. Here are the answers to your specific questions:

There are several types of cookie used in day to day operations.. e.g. persistence cookies, GSLB Persistence cookies, Authentication cookies, WAF cookies... The vulnerability you are referring to relate to the authentication session information.

Q. Under what HA conditions are the cookies shared?

A. Cookies are shared in HA and Cluster scenarios to make a failover event seamless for those accessing apps behind NetScalers.

Q. Are they shared under a normal HA scenario?

A. Yes, this is default behaviour, and part of what makes a pair of NetScaler more resilient.

Q. And in a HA scenario where they are shared, where do you need to clear them? On all nodes? Just the primary? The secondary?

A. Just the primary. The command will propagate to the secondary.

Hope this helps, Kind Regards,

Ronan.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...