Marc Bouchard Posted December 1, 2015 Share Posted December 1, 2015 We are using the VPX with form-based authentication for external access to a web application. User hits the website main URL, gets forwarded to authentication page, then back to main URL. The website has a "logout" button, that basically links to "www.mysite.com/logout". Objective: 1. Delete the session cookies 2. Redirect back to the main url (back to authentication page). I created a responder policy as follows: Priority 100 Expression: HTTP.REQ.URL.CONTAINS("logout") Action type: Redirect Expression: "/" This seems to work. I created a traffic policy as follows: Priority 150 Expression: HTTP.REQ.URL.CONTAINS("logout") Traffic profile: AppTimeout 1 Initiate Logout is checked. If I use only the traffic policy, it works. My session gets killed. But no redirect. If I use only the responder policy, it seems to work (I see the new URL in the address bar). If both are enabled, the traffic policy doesn't work anymore. I inverted priorities and no luck. Kind of stuck with the logic on this one (still fairly new to netscalers). Thanks for any insight! Marc Link to comment Share on other sites More sharing options...
Ruud Hund1709153945 Posted December 1, 2015 Share Posted December 1, 2015 Marc, Check this link https://blogsprod.s3.amazonaws.com/blogs/wp-content/uploads/2008/05/Citrix_NSPE.pdf Page 9 shows you which type of expressions are handled first and which come after that. Best thing is to make a trace in your browser (eg httpfox for firefox) from a client directly to the webpage and see if there are any unique things in the traffic flow which happen after you click logout. You can than use that to create a responder policy to redirect you back to the homepage 1 Link to comment Share on other sites More sharing options...
Marc Bouchard Posted December 1, 2015 Author Share Posted December 1, 2015 As per the document, once a policy is matched, that's it. No further attempts are made. That would explain the results I got (both work independently) And I assume that the Responder type of policy comes first and since it worked, I lose the "logout" in the URL so the traffic profile has nothing to process. I would need to get the traffic profile to apply first and then forward to the next policy (or do the forwarding in the traffic profile?) Any idea how I can get this to work? The suggestion of analyzing with the browser won't help much if I can't get two policies processed... Link to comment Share on other sites More sharing options...
Ruud Hund1709153945 Posted December 1, 2015 Share Posted December 1, 2015 Have you tried putting the traffic policy or responder policy with a GoTo expression of NEXT? It should continu. Is it maybe possible to send a httpfox trace to see what happens? Link to comment Share on other sites More sharing options...
Marc Bouchard Posted December 1, 2015 Author Share Posted December 1, 2015 The Traffic Policy doesn't have a Goto option. The Responder Policy does, but setting it to NEXT asks to set an action of NOOP Link to comment Share on other sites More sharing options...
Marc Bouchard Posted December 2, 2015 Author Share Posted December 2, 2015 I thought that what I'm trying to do was something fairly simple and common. Nobody has an actual working method for doing this? Terminate session and go back to main page? Seems like I have all the components to do it but can't make them work together... Link to comment Share on other sites More sharing options...
Marc Bouchard Posted December 3, 2015 Author Share Posted December 3, 2015 Here's what I have so far... Stuff I have gathered from all over the place trying to resolve this issue. add tm trafficAction Act_initiate_logout -appTimeout 1 -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE add tm trafficPolicy Pol_kill_aaa_session "HTTP.REQ.URL.CONTAINS(\"Logout\")" Act_initiate_logout add rewrite action Act_logout_replace_location insert_http_header Location "\"https://appname.domainname.com\"" add rewrite action Act_invalidate_tmas_cookie insert_http_header Set-Cookie "\"NSC_TMAS=xyz;Domain=.domainname.com;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\"" add rewrite action Act_invalidate_tmaa_cookie insert_http_header Set-Cookie "\"NSC_TMAA=xyz;Domain=.domainname.com;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\"" add rewrite policy Pol_logout_replace_location "HTTP.REQ.URL.CONTAINS(\"Logout\")" Act_logout_replace_location add rewrite policy Pol_invalidate_tmas_cookie "HTTP.REQ.URL.CONTAINS(\"Logout\")" Act_invalidate_tmas_cookie add rewrite policy Pol_invalidate_tmaa_cookie "HTTP.REQ.URL.CONTAINS(\"Logout\")" Act_invalidate_tmaa_cookie bind lb vserver VIP_WEBSERVER_SSL -policyName Pol_logout_replace_location -priority 80 -gotoPriorityExpression 90 -type RESPONSE bind lb vserver VIP_WEBSERVER_SSL -policyName Pol_invalidate_tmas_cookie -priority 90 -gotoPriorityExpression 100 -type RESPONSE bind lb vserver VIP_WEBSERVER_SSL -policyName Pol_invalidate_tmaa_cookie -priority 100 -gotoPriorityExpression END -type RESPONSE bind lb vserver VIP_WEBSERVER_SSL -policyName Pol_kill_aaa_session -priority 50 -gotoPriorityExpression END -type REQUEST 1 Link to comment Share on other sites More sharing options...
Sanjith Abraham1709153204 Posted December 3, 2015 Share Posted December 3, 2015 Hi Marc, When you use traffic policy to clear out the user's session , which page does it redirect user to ? there must be some response after the session is cleared on Netscaler . Link to comment Share on other sites More sharing options...
Marc Bouchard Posted December 3, 2015 Author Share Posted December 3, 2015 Hi Marc, When you use traffic policy to clear out the user's session , which page does it redirect user to ? there must be some response after the session is cleared on Netscaler . The "Logout" button on the website links to "www.website.com/Logout" which doesn't exist. So I end up with the "Set-Cookie" command visible with an error message saying that /Logout doesn't exist. This is expected behaviour. Until I do the redirect, which should, based on the code above, simply redirect me to "https://appname.domainname.com/" With all the above policies applied, all I get is the error page with the session actually closed. No redirect. Link to comment Share on other sites More sharing options...
Sanjith Abraham1709153204 Posted December 3, 2015 Share Posted December 3, 2015 So if i understand the flow correctly , the traffic policy is hit first and it clears the session, and the http req. is send to backend server , since there is no page as /logout , the response from backend server is a 404 not found If my above assumption is true , then you will have to create a rewrite policy that will look for www.website.com/Logout in the "response body" (not the request) and then replace http response to a 302 redirect . Link to comment Share on other sites More sharing options...
Marc Bouchard Posted December 4, 2015 Author Share Posted December 4, 2015 Indeed, it's a 404. the URL shown in the browser is still www.website.com/Logout, isn't that what the HTTP.REQ.URL.CONTAINS checks for? Even though the response was a 404, the request still went to the right place. I'll give your suggestion a try! Thanks for that insight. Link to comment Share on other sites More sharing options...
Marc Bouchard Posted December 4, 2015 Author Share Posted December 4, 2015 Actually, I just created a dummy "Logout.html" file so there wouldn't be a 404 anymore and it just sits on the blank page... Link to comment Share on other sites More sharing options...
Marc Bouchard Posted December 4, 2015 Author Share Posted December 4, 2015 Progress! It seems to be doing what it's supposed to do now, however, the redirect is too fast, the "Initiate Logout" traffic policy doesn't have time to complete so I'm redirected to the home page of the site, which appears not to be logged out, but if I refresh, then I get back to the login prompt. Basically, I need to insert a delay in the redirect... Back to googling! Link to comment Share on other sites More sharing options...
Sanjith Abraham1709153204 Posted December 4, 2015 Share Posted December 4, 2015 Hi Marc, Good to know you made progress . The expressions you are using is only meant for the request part . Since only traffic policy is getting hit in the req. flow , the way to make that redirect work is by modifying the response of backend server. since you have created a logout page , you may want to add this into the html file : <META HTTP-EQUIV="refresh" CONTENT="60;URL=https://appname.domainname.com/"> here content is the number of sec. before it refresh the page with the URL specified. 1 Link to comment Share on other sites More sharing options...
Marc Bouchard Posted December 4, 2015 Author Share Posted December 4, 2015 Well, basically I had it working all along... The problem is that the Initiate Logout function is not instant, so the redirect would send me back to the root before the logout was processed, thus reactivating the session. Our dev team didn't want to manage the logout portion at all since we were managing the cookies/session from the Netscaler. So in the end, I ended up doing the refresh in client side code like above. Not at all what we wanted but it works. Thanks everyone who chimed in to help! 3 Link to comment Share on other sites More sharing options...
Adham Labib Ali Posted February 6, 2018 Share Posted February 6, 2018 Never too late for an anwser : Actually in your responder just put this expression and it will work : "HTTP/1.1 200 OK\n\r\n<body><meta http-equiv=\"refresh\" content=\"1;url=url_of_your_login_page\"><html>Logged out successfuly.<br/><img src=\"/cgi/tmlogout\" style=\"display: none;\" /><br/>Redirection in progress ...</html>" Link to comment Share on other sites More sharing options...
Marc Bouchard Posted February 6, 2018 Author Share Posted February 6, 2018 2 years later is a bit late :) I don't even work for them anymore lol :) But thanks for sharing that information, might come in handy for anyone else looking to do the same thing! Link to comment Share on other sites More sharing options...
Adham Labib Ali Posted February 6, 2018 Share Posted February 6, 2018 That's was the goal, I search for it since yesterday and I try to figure out myself, so sharing is always a good idea.... Link to comment Share on other sites More sharing options...
Mariusz Orkisz Posted March 18, 2018 Share Posted March 18, 2018 Thank you alabib_826 !!! It works for me as well. Just testing and learning Netscaler TM and FormSSO and I have written small ASP.Net form based web page for this purpose. I have faced the same issue like Marc, fortunately it was only my lab, not a production issue. IMHO Citrix should prepare a better and more clear solution for this. Link to comment Share on other sites More sharing options...
Rakesh Verma Posted December 17, 2021 Share Posted December 17, 2021 On 12/1/2015 at 6:35 PM, Marc Bouchard said: We are using the VPX with form-based authentication for external access to a web application. User hits the website main URL, gets forwarded to authentication page, then back to main URL. The website has a "logout" button, that basically links to "www.mysite.com/logout". Objective: 1. Delete the session cookies 2. Redirect back to the main url (back to authentication page). I created a responder policy as follows: Priority 100 Expression: HTTP.REQ.URL.CONTAINS("logout") Action type: Redirect Expression: "/" This seems to work. I created a traffic policy as follows: Priority 150 Expression: HTTP.REQ.URL.CONTAINS("logout") Traffic profile: AppTimeout 1 Initiate Logout is checked. If I use only the traffic policy, it works. My session gets killed. But no redirect. If I use only the responder policy, it seems to work (I see the new URL in the address bar). If both are enabled, the traffic policy doesn't work anymore. I inverted priorities and no luck. Kind of stuck with the logic on this one (still fairly new to netscalers). Thanks for any insight! Marc Thanks Marc , i have created that responder policy & bind it to the CSVIP & problem resolved . Link to comment Share on other sites More sharing options...
OM Kaewsaenchai Posted August 24, 2023 Share Posted August 24, 2023 On 12/1/2015 at 8:05 PM, Marc Bouchard said: We are using the VPX with form-based authentication for external access to a web application. User hits the website main URL, gets forwarded to authentication page, then back to main URL. The website has a "logout" button, that basically links to "www.mysite.com/logout". Objective: 1. Delete the session cookies 2. Redirect back to the main url (back to authentication page). I created a responder policy as follows: Priority 100 Expression: HTTP.REQ.URL.CONTAINS("logout") Action type: Redirect Expression: "/" This seems to work. I created a traffic policy as follows: Priority 150 Expression: HTTP.REQ.URL.CONTAINS("logout") Traffic profile: AppTimeout 1 Initiate Logout is checked. If I use only the traffic policy, it works. My session gets killed. But no redirect. If I use only the responder policy, it seems to work (I see the new URL in the address bar). If both are enabled, the traffic policy doesn't work anymore. I inverted priorities and no luck. Kind of stuck with the logic on this one (still fairly new to netscalers). Thanks for any insight! Marc I am having issues with one of the website logout like this, no matter how I use rewrite to Set-Cookie NSC_TMAS It never worked. Seems New Netscale version said that rewrite module can not have access to AAA session cookies now. So I just try Marc's Traffic Policy/ Profile IT works! Thanks alot! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now