Hi Mike, There is a session variable which the NetScaler uses to tie an inbound request to a successful authentication. In a HA scenario, this session information is shared with the HA partner so that in the event of a HA Failover where the secondary appliance becomes primary, the users requests will still be recognised as being authenticated. If this were not the case then after a HA failover, every single user would be forced to re-authenticate. Here are the answers to your specific questions: There are several types of cookie used in day to day operations.. e.g. persistence cookies, GSLB Persistence cookies, Authentication cookies, WAF cookies... The vulnerability you are referring to relate to the authentication session information. Q. Under what HA conditions are the cookies shared? A. Cookies are shared in HA and Cluster scenarios to make a failover event seamless for those accessing apps behind NetScalers. Q. Are they shared under a normal HA scenario? A. Yes, this is default behaviour, and part of what makes a pair of NetScaler more resilient. Q. And in a HA scenario where they are shared, where do you need to clear them? On all nodes? Just the primary? The secondary? A. Just the primary. The command will propagate to the secondary. Hope this helps, Kind Regards, Ronan.