Citrix Gateway

Enforce the HttpOnly flag on authentication cookies

Starting from Citrix Gateway release 13.1-37.x and later, the HttpOnly flag is available on the authentication cookies of VPN scenarios that is, NSC_AAAC and NSC_TMAS cookies. The NSC_TMAS authentication cookie is used during the nFactor authentication and the NSC_AAAC cookie is used for the authenticated session. The HttpOnly flag on a cookie restricts the cookie access using the JavaScript document cookie option. This helps in preventing cookie theft due to cross-site scripting.

Supported scenario

The HTTPOnly flag is supported for nFactor authentication.

Behavior when Citrix ADC AAA parameter’s HttpOnlyCookie knob is used along with tmsession’s HttpOnlyCookie knob:

  • When the authentication, authorization, and auditing parameter’s httpOnlyCookie knob is enabled and nFactor authentication is used, the authentication, authorization, and auditing parameter’s HttpOnlyCookie knob overrides the TM session’s HttpOnlyCookie knob. Also, both NSC_TMAS and NSC_AAAC are marked HttpOnly irrespective of the session type; whether it is a VPN session, TM session, or during nFactor authentication.
  • If the HttpOnlyCookie knob is disabled, the HttpOnly flag is not set for a VPN session. For the authentication, authorization, and auditing scenario, the HttpOnly flag is set based on the TM session knob value.

Configure the HttpOnly feature by using the CLI

  • Enable the HttpOnly flag

     set aaa parameter -httpOnlyCookie ENABLED
     <!--NeedCopy-->
    
  • Check the status of the HttpOnly feature

     show aaa parameter
     <!--NeedCopy-->
    

Limitations

  • When the HttpOnly feature is enabled, the Home Page button on the Citrix Secure Access client does not work.
  • HttpOnly flag is not set in any classic authentication.
Enforce the HttpOnly flag on authentication cookies