ADC

HTTP cookie persistence

When HTTP cookie persistence is configured, the Citrix ADC appliance sets a cookie in the HTTP headers of the initial client request. The cookie contains the IP address and port of the service selected by the load balancing algorithm. As with any HTTP connection, the client then includes that cookie with any subsequent requests.

When the Citrix ADC appliance detects the cookie, it forwards the request to the service IP and port in the cookie, maintaining persistence for the connection. You can use this type of persistence with virtual servers of type HTTP or HTTPS. This persistence type does not consume any appliance resources and therefore can accommodate an unlimited number of persistent clients.

Note: If the client’s Web browser is configured to refuse cookies, HTTP cookie-based persistence does not work. It might be advisable to configure a cookie check on the website, and warn clients that do not appear to be storing cookies properly that they need to enable cookies for the website if they want to use it.

The format of the cookie that the Citrix ADC appliance inserts is:

NSC_XXXX=<ServiceIP ><ServicePort>

Where:

  • NSC_XXXX is the virtual server ID that is derived from the virtual server name.
  • ServiceIP and ServicePort are encoded representations of the service IP address and service port, respectively. The IP address and port are encoded separately.

You can set a time-out value for this type of persistence to specify an inactivity period for the session. When the connection has been inactive for the specified period, the Citrix ADC appliance discards the persistence session. Any subsequent connection from the same client results in a new server being selected based on the configured load balancing method, and a new persistence session being established.

Note: If you set the time-out value to 0, the Citrix ADC appliance does not specify an expiration time, but sets a session cookie that is not saved when the client’s browser is shut down.

By default, the Citrix ADC appliance sets HTTP version 0 cookies for maximum compatibility with client browsers. (Only certain HTTP proxies understand version 1 cookies; most commonly used browsers do not.) You can configure the appliance to set HTTP version 1 cookies, for compliance with RFC2109. For HTTP version 0 cookies, the appliance inserts the cookie expiration date and time as an absolute Coordinated Universal Time (GMT). It calculates this value as the sum of the current GMT time on the appliance and the time-out value. For HTTP version 1 cookies, the appliance inserts a relative expiration time by setting the “Max-Age” attribute of the HTTP cookie. In this case, the client’s browser calculates the actual expiration time.

To configure persistence based on a cookie inserted by the appliance, see Configuring Persistence Types That Do Not Require a Rule.

In the HTTP cookie, the appliance by default sets the HTTPOnly flag to indicate that the cookie is nonscriptable and must not be revealed to the client application. Therefore, a client-side script cannot access the cookie, and the client is not susceptible to cross-site scripting.

Certain browsers, however, do not support the HTTPOnly flag and, therefore, might not return the cookie. As a result, persistence is broken. For browsers that do not support the flag, you can omit the HTTPOnly flag in the persistence cookie.

To change the HTTPOnly flag setting by using the CLI

At the command prompt, type:

set lb parameter -httpOnlyCookieFlag (ENABLED|DISABLED)
<!--NeedCopy-->

Example:

>  set lb parameter -httpOnlyCookieFlag disabled
   Done
> show lb parameter
  Global LB parameters:
       Persistence Cookie HttpOnly Flag: DISABLED
       Use port for hash LB: YES
 Done
<!--NeedCopy-->

To change the HTTPOnly flag setting by using the GUI

  1. Navigate to Traffic Management > Load Balancing > Configure Load Balancing Parameters, and select or clear the Persistence Cookie HTTPOnly flag.

From release 10.5 build 55.8, you can encrypt the cookie in addition to any SSL encryption.

set lb parameter -UseEncryptedPersistenceCookie ENABLED -cookiePassphrase test
<!--NeedCopy-->
  1. Navigate to Traffic Management > Change Load Balancing Parameters, and select Encode Persistence Cookie Values and enter a passphrase in Cookie Passphrase.
HTTP cookie persistence