Two Gateway Vservers with the same FQDN and VIP are created on the same ADC but listed on the different ports(8443 and 9443).

If logging into Citrix Gateway1 with port 8443 first, and then open a new browser tab page to access Citrix Gateway2 with port 9443, users can see the published resources without going through any authentication.

Example:
Citrix Gateway1：https://a.com:8443
Citrix Gateway2：https://a.com:9443

Problem Cause

When accessing Citrix Gateway2, the http requests carried the cookie NSC_AAAC of Citrix Gateway1, which lead to the mistaken belief that the user has already been authenticated, so no authentication was required.

For browser, cookies serving multiple ports and the same domain are shared, this is by design.

Troubleshooting details：
After passing through the authentication, Citrix Gateway1(https://XXXXXXXXX:8443) responded "Set-Cookie: NSC_AAAC=..." to the client. ​​​​​All subsequent http requests would carry this cookie, indicating that the user has passed through the authentication.


But when a new browser tab page was opened to access Citrix Gateway2(https://XXXXXXXXX:9443), the http request sent by the client carried the above cookie NSC_AAAC.


Gateway Vservers on the same ADC share sessions information.
Due to carrying the correct cookie NSC_AAAC, Citrix Gateway2 mistakenly believed the user has been authenticated, and then responded with code 302 and storefront URL. But normally, Citrix Gateway should respond location "/logon/LogonPoint/index.htm" (login page).