Citrix
Include legacy content

Archive: Access Gateway Enterprise Edition - Set Cookie not Sent to Requesting Host through Clientless VPN

  • CTX120698
  • Created On  Feb 05, 2010
  • Updated On  Feb 11, 2010
  • Article
  • Topic : Other
This article is no longer maintained, its content refers to a discontinued product and may be out of date. Refer to the Discontinued Product Lifecycle or Active Citrix Product pages for more information on support schedules.

Symptoms

When accessing internal server resources using Access Gateway Enterprise Edition Clientless VPN (CVPN), a Set Cookie is not passed to the requesting host when the server sends a non-200 HTTP message.

This issue was discovered in Access Gateway Enterprise Edition, Build 8.1-61.2

A portion of a header trace on the client device is revealed below whereas the client device makes the request using an HTTP GET and a 302 is returned but without the required Set Cookie:

GET /cvpn/http/127.0.0.1/vpns/services.html HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PW_COMPTYPE=public; NSC_VPNERR=3,wicps,cvpn,agent; PW_CHOICE=WebMail; BCSI-CS0A1AD40C=2; NSC_USER=70518; NSC_AAAC=832d05b599fd13acf2935a6d5e7f913a

HTTP/1.x 302 Object Moved
Server: NS8.1.56.7
Location: https://1.1.1.1/cvpn/aHR0cDovLzEwLjk5LjIwNy4xNA/Citrix/WebMail
Connection: close

A TCP Stream taken from a nstrace capture below reveals the client making the request using an HTTP GET, the corresponding HTTP GET being made from the Access Gateway to the server, the server responding with a 302 message including Set Cookie statements and lastly, the 302 message being sent from the Access Gateway to the VPN client device with the Set Cookie statements removed:

VPN Client to Access Gateway:

GET /cvpn/aHR0cDovLzEwLjk5LjIwNy4xNA/Citrix/WebMail/auth/login.aspx HTTP/1.1
Host: 2.2.2.2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300
Connection: keep-alive
Referer: https://2.2.2.2/cvpn/aHR0cDovLzEwLjk5LjIwNy4xNA/Citrix/WebMail/auth/login.aspx Cookie: WIClientInfo=Cookies_On=true&icaIsPassThrough=0&icaScreenResolution=1440x900; PW_COMPTYPE=public; NSC_VPNERR=3,wicps,cvpn,agent; PW_CHOICE=WebMail; BCSI-CS0A1AD40C=2; NSC_USER=70518; NSC_AAAC=832d05b599fd13acf2935a6d5e7f913a

Access Gateway to Mail Server:

GET /Citrix/WebMail HTTP/1.1
Host: 10.99.207.14
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
X_FORWARDED_FOR: 208.226.153.24

Mail Server to Access Gateway:

HTTP/1.1 302 Found Date: Fri, 23 Jan 2009 19:17:59 GMT
Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727
Pragma: no-cache
Location: /Citrix/WebMail/auth/agesso.aspx
Set-Cookie: WINGSession=icaScreenResolution=1440x900&NFuse_LogonType=AGEPassthrough&icaIsPassThrough=0
; path=/Citrix/WebMail/; HttpOnly
Set-Cookie: WIUser=; expires=Sat, 23-Jan-2010 19:17:59 GMT; path=/Citrix/WebMail/; HttpOnly
Set-Cookie: WINGDevice=; expires=Sat, 23-Jan-2010 19:17:59 GMT; path=/; HttpOnly
Cache-Control: no-cache Pragma: no-cache Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 149

<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/Citrix/WebMail/auth/agesso.aspx">here</a>.</h2> </body></html>

Access Gateway to VPN Client (Set Cookie stripped out):

HTTP/1.1 302 Found Date: Fri, 23 Jan 2009 19:17:59 GMT
Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727
Location: /cvpn/aHR0cDovLzEwLjk5LjIwNy4xNA/Citrix/WebMail/auth/agesso.aspx
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Cache-Control: no-cache, must-revalidate expires: Mon, 26 Jul 1997 05:00:00 GMT transfer-encoding: chunked ca

<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="https://1.1.1.1/cvpn/aHR0cDovLzEwLjk5LjIwNy4xNA/Citrix/WebMail/auth/agesso.aspx">here</a>.</h2> </body></html> 0

Cause

The default behavior of the Access Gateway Enterprise Edition running on the NetScaler appliance is to drop all incoming non-200 HTTP messages that contain a Set Cookie. Because the incoming message is a 302 with the Set Cookie, the Set Cookie value is dropped before the HTTP message is returned to the client device.

Resolution

This issue is resolved in the following releases:
version 8.1 build 66.x
version 9.0 build 69.x
version 9.1 any build.


Share your comments or find out more about this topic

Citrix Forums

Languages

N/A

| Terms of Use | Privacy | Governance