I recently got a request from a partner that wanted to use the netscaler’s AAA functionality, with a little twist.

Overall objective: Modifying the access control cookies, to create a persistence session across browser close/open

Usecase description
User enters www.website.com
The netscaler takes care of the authorization in a AAA server.
The user is now logged in.
The user should be able to close the browser, wait a few minutes, open the browser to www.website.com and still be logged in.

This is not the default behavior with in the Netscaler

Default netscaler behavior.

When the user enters www.website.com, the user is redirected to the authentication site, aaa.website.com. Here the user enters username and password, and the netscaler does authentication based on the configuration. When the user is authenticated, 2 cookies will be set. And the user will be redirected back to www.website.com

The 2 cookies are important, since they verify that the user is authenticated.

Set-Cookie: NSC_TMAA=02a65617419c18edd4b6dbb6c58aeb3e;HttpOnly;Path=/;Domain=website.com
Set-Cookie: NSC_TMAS=f7fa0d2e10e3a9c4aeb5950f4837a823;Secure;HttpOnly;Path=/;Domain=website.com

The webdeveloper within us(don’t be shy!), will see that there is no “expires=” in the set-cookie string, (or MAX-AGE=) That means the cookie will be a session cookie. And session cookies will be deleted when the browser closes, which is what we don’t want.

So the task is: Make the NSC_TMAA and NSC_TMAS persistent.

The MOD

Intercept the first redirect from aaa.website.com to www.website.com and re-set the cookie, and then redirect the user back to www.website.com This is possible because the client is requesting www.website.com with the NSC_TMAA and NSC_TMAS cookies.

Sounds pretty simple! And it was, since I had my lovely netscaler to help me out.

NS Configuration to solve this specific request.
add responder action nsc_set_cookie respondwith q{“HTTP/1.1 302 Object Moved\r\n” + “Location: https://www.website.com/default.aspx” + “\r\n” + “Set-Cookie: mk_test42=1;Path=/;Domain=.website.com;MAX-AGE=3500” + “\r\n” + “Set-Cookie: NSC_TMAA=” + HTTP.REQ.COOKIE.VALUE(“NSC_TMAA”)+”;HttpOnly;Path=/;Domain=.website.com;MAX-AGE=3500″ + “\r\n” + “Set-Cookie: NSC_TMAS=” + HTTP.REQ.COOKIE.VALUE(“NSC_TMAS”)+”;Secure;HttpOnly;Path=/;Domain=.website.com;MAX-AGE=3500″ + “\r\n” + “Content-Length: 0” + “\r\n” + “Cache-Control: no-cache, no-store” + “\r\n” + “Pragma: no-cache” + “\r\n” + “Content-Type: text/html” + “\r\n”} -bypassSafetyCheck YES
add responder policy set_tmaa_cookie “!HTTP.REQ.HEADER(\”Cookie\”).CONTAINS(\”mk_test42\”) && HTTP.REQ.url.EQ(\”/default.aspx\”)” nsc_set_cookie
bind lb vserver vs_lb_website.com -policyName set_tmaa_cookie -priority 100 -gotoPriorityExpression END -type REQUEST

Explanation

Its important to avoid a looping situation(else we end up like this zebra), and by creating a dummy cookie on the same first request back to the website which is then tested on accomplishes that. In this configuration the dummy cookie is “mk_test42”. The first request does not have this cookie, this is picked up by the responder policy, and will respond with string that sets the mk_test42 cookie and the same NSC_TMAA/NSC_TMAS values with a MAX-AGE string. In this example the time is set for 3500 seconds, which will allow the user to have a closed browser for approx 1 hour.

The cookie value that the AAA vserver creates is intercepted with the HTTP.REQ.COOKIE.VALUE(“NSC_TMAA”) expression and is integrated in the response

Update:
The response action only worked with FF. I had to skip the MAX-AGE part IE does not understand MAX-AGE (tested with IE11), and add an extra \r\n to make chrome happy.
“HTTP/1.1 302 Object Moved\r\n” + “Location: https://www.website.com/default.aspx” + “\r\n” + “Set-Cookie: mk_test42=1;Path=/;Domain=.website.com;expires=” + SYS.TIME.ADD(3500).TYPECAST_TIME_AT + “\r\n” + “Set-Cookie: NSC_TMAA=” + HTTP.REQ.COOKIE.VALUE(“NSC_TMAA”)+”;HttpOnly;Path=/;Domain=.website.com;expires=” + SYS.TIME.ADD(3500).TYPECAST_TIME_AT + “\r\n” + “Set-Cookie: NSC_TMAS=” + HTTP.REQ.COOKIE.VALUE(“NSC_TMAS”)+”;Secure;HttpOnly;Path=/;Domain=.website.com;expires=” + SYS.TIME.ADD(3500).TYPECAST_TIME_AT + “\r\n” + “Content-Length: 0” + “\r\n” + “Cache-Control: no-cache, no-store” + “\r\n” + “Pragma: no-cache” + “\r\n” + “Content-Type: text/html” + “\r\n” + “\r\n”