HTTP cookie persistence

September 14, 2021

Contributed by:

S C

When HTTP cookie persistence is configured, the Citrix ADC appliance sets a cookie in the HTTP headers of the initial client request. The cookie contains the IP address and port of the service selected by the load balancing algorithm. As with any HTTP connection, the client then includes that cookie with any subsequent requests.

When the Citrix ADC appliance detects the cookie, it forwards the request to the service IP and port in the cookie, maintaining persistence for the connection. You can use this type of persistence with virtual servers of type HTTP or HTTPS. This persistence type does not consume any appliance resources and therefore can accommodate an unlimited number of persistent clients.

Note: If the client’s Web browser is configured to refuse cookies, HTTP cookie-based persistence does not work. It might be advisable to configure a cookie check on the website, and warn clients that do not appear to be storing cookies properly that they need to enable cookies for the website if they want to use it.

The format of the cookie that the Citrix ADC appliance inserts is:

NSC_XXXX=

Where:

NSC_XXXX is the virtual server ID that is derived from the virtual server name.
ServiceIP and ServicePort are encoded representations of the service IP address and service port, respectively. The IP address and port are encoded separately.

You can set a time-out value for this type of persistence to specify an inactivity period for the session. When the connection has been inactive for the specified period, the Citrix ADC appliance discards the persistence session. Any subsequent connection from the same client results in a new server being selected based on the configured load balancing method, and a new persistence session being established.

Note: If you set the time-out value to 0, the Citrix ADC appliance does not specify an expiration time, but sets a session cookie that is not saved when the client’s browser is shut down.

By default, the Citrix ADC appliance sets HTTP version 0 cookies for maximum compatibility with client browsers. (Only certain HTTP proxies understand version 1 cookies; most commonly used browsers do not.) You can configure the appliance to set HTTP version 1 cookies, for compliance with RFC2109. For HTTP version 0 cookies, the appliance inserts the cookie expiration date and time as an absolute Coordinated Universal Time (GMT). It calculates this value as the sum of the current GMT time on the appliance and the time-out value. For HTTP version 1 cookies, the appliance inserts a relative expiration time by setting the “Max-Age” attribute of the HTTP cookie. In this case, the client’s browser calculates the actual expiration time.

To configure persistence based on a cookie inserted by the appliance, seeConfiguring Persistence Types That Do Not Require a Rule.

In the HTTP cookie, the appliance by default sets theHTTPOnly国旗表明nonsc饼干riptable and must not be revealed to the client application. Therefore, a client-side script cannot access the cookie, and the client is not susceptible to cross-site scripting.

然而,某些浏览器不支持HTTPOnly国旗,因此可能不会返回饼干。As a result, persistence is broken. For browsers that do not support the flag, you can omit theHTTPOnlyflag in the persistence cookie.

To change the`HTTPOnly`flag setting by using the CLI

At the command prompt, type:

set lb parameter -httpOnlyCookieFlag (ENABLED|DISABLED)

Example:

              > set lb parameter -httpOnlyCookieFlag disabled Done > show lb parameter Global LB parameters: Persistence Cookie HttpOnly Flag: DISABLED Use port for hash LB: YES Done 
             

To change the`HTTPOnly`flag setting by using the GUI

Navigate toTraffic Management > Load Balancing > Configure Load Balancing Parameters, and select or clear thePersistence Cookie HTTPOnlyflag.

From release 10.5 build 55.8, you can encrypt the cookie in addition to any SSL encryption.

set lb parameter -UseEncryptedPersistenceCookie ENABLED -cookiePassphrase test

Navigate toTraffic Management>Change Load Balancing Parameters, and selectEncode Persistence Cookie Valuesand enter a passphrase inCookie Passphrase.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

HTTP cookie persistence

September 14, 2021

Contributed by:

S C

September 14, 2021

Contributed by:

S C

HTTP cookie persistence

To change theHTTPOnlyflag setting by using the CLI

To change theHTTPOnlyflag setting by using the GUI

Encrypting the Cookie

To encrypt the cookie by using the command line interface, at the command prompt, type

To encrypt the cookie by using the configuration utility

In this article

To change the`HTTPOnly`flag setting by using the CLI

To change the`HTTPOnly`flag setting by using the GUI