Delete cookies and redirect back to login page

[Marc Bouchard]

We are using the VPX with form-based authentication for external access to a web application.

 

User hits the website main URL, gets forwarded to authentication page, then back to main URL. 

 

The website has a "logout" button, that basically links to "www.mysite.com/logout".

 

Objective:

1. Delete the session cookies

2. Redirect back to the main url (back to authentication page).

 

I created a responder policy as follows:

Priority 100

Expression: HTTP.REQ.URL.CONTAINS("logout")

Action type: Redirect

Expression: "/"

 

This seems to work.

 

I created a traffic policy as follows:

Priority 150

Expression: HTTP.REQ.URL.CONTAINS("logout")

Traffic profile: AppTimeout 1

Initiate Logout is checked.

 

If I use only the traffic policy, it works. My session gets killed. But no redirect.

If I use only the responder policy, it seems to work (I see the new URL in the address bar).

If both are enabled, the traffic policy doesn't work anymore. I inverted priorities and no luck.

 

Kind of stuck with the logic on this one (still fairly new to netscalers).

 

Thanks for any insight!

 

Marc

[Ruud Hund1709153945]

Marc,

 

Check this link https://blogsprod.s3.amazonaws.com/blogs/wp-content/uploads/2008/05/Citrix_NSPE.pdf

Page 9 shows you which type of expressions are handled first and which come after that.

 

Best thing is to make a trace in your browser (eg httpfox for firefox) from a client directly to the webpage and see if there are any unique things in the traffic flow which happen after you click logout. You can than use that to create a responder policy to redirect you back to the homepage

[Marc Bouchard]

As per the document, once a policy is matched, that's it. No further attempts are made. That would explain the results I got (both work independently) And I assume that the Responder type of policy comes first and since it worked, I lose the "logout" in the URL so the traffic profile has nothing to process.

 

I would need to get the traffic profile to apply first and then forward to the next policy (or do the forwarding in the traffic profile?)

 

Any idea how I can get this to work? The suggestion of analyzing with the browser won't help much if I can't get two policies processed...

[Ruud Hund1709153945]

Have you tried putting the traffic policy or responder policy with a GoTo expression of NEXT?

It should continu. Is it maybe possible to send a httpfox trace to see what happens?

[Marc Bouchard]

The Traffic Policy doesn't have a Goto option.

 

The Responder Policy does, but setting it to NEXT asks to set an action of NOOP

[Marc Bouchard]

I thought that what I'm trying to do was something fairly simple and common. Nobody has an actual working method for doing this?

Terminate session and go back to main page? Seems like I have all the components to do it but can't make them work together...

[Marc Bouchard]

Here's what I have so far... Stuff I have gathered from all over the place trying to resolve this issue.

 

_{add tm trafficAction Act_initiate_logout -appTimeout 1 -persistentCookie OFF -InitiateLogout ON -kcdAccount NONE}

_{add tm trafficPolicy Pol_kill_aaa_session "HTTP.REQ.URL.CONTAINS(\"Logout\")" Act_initiate_logout}

 

_{add rewrite action Act_logout_replace_location insert_http_header Location  "\"https://appname.domainname.com\""}

_{add rewrite action Act_invalidate_tmas_cookie insert_http_header Set-Cookie "\"NSC_TMAS=xyz;Domain=.domainname.com;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\""}

_{add rewrite action Act_invalidate_tmaa_cookie insert_http_header Set-Cookie "\"NSC_TMAA=xyz;Domain=.domainname.com;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure\""}

 

_{add rewrite policy Pol_logout_replace_location "HTTP.REQ.URL.CONTAINS(\"Logout\")" Act_logout_replace_location}

_{add rewrite policy Pol_invalidate_tmas_cookie  "HTTP.REQ.URL.CONTAINS(\"Logout\")" Act_invalidate_tmas_cookie}

_{add rewrite policy Pol_invalidate_tmaa_cookie  "HTTP.REQ.URL.CONTAINS(\"Logout\")" Act_invalidate_tmaa_cookie}

 

_{bind lb vserver VIP_WEBSERVER_SSL -policyName Pol_logout_replace_location -priority 80 -gotoPriorityExpression 90 -type RESPONSE}

_{bind lb vserver VIP_WEBSERVER_SSL -policyName Pol_invalidate_tmas_cookie  -priority 90 -gotoPriorityExpression 100 -type RESPONSE}

_{bind lb vserver VIP_WEBSERVER_SSL -policyName Pol_invalidate_tmaa_cookie -priority 100 -gotoPriorityExpression END -type RESPONSE}

_{bind lb vserver VIP_WEBSERVER_SSL -policyName Pol_kill_aaa_session -priority 50 -gotoPriorityExpression END -type REQUEST}

[Sanjith Abraham1709153204]

Hi Marc,

 

When you use traffic policy to clear out the user's session , which page does it redirect user to ? there must be some response after the session is cleared on Netscaler .

[Marc Bouchard]

Hi Marc,

 

When you use traffic policy to clear out the user's session , which page does it redirect user to ? there must be some response after the session is cleared on Netscaler .

 

The "Logout" button on the website links to "www.website.com/Logout" which doesn't exist. So I end up with the "Set-Cookie" command visible with an error message saying that /Logout doesn't exist.

 

This is expected behaviour. Until I do the redirect, which should, based on the code above, simply redirect me to "https://appname.domainname.com/"

 

With all the above policies applied, all I get is the error page with the session actually closed. No redirect.

[Sanjith Abraham1709153204]

So if i understand the flow correctly , the traffic policy is hit first and it clears the session, and the http req. is send to backend server , since there is no page as /logout , the response from backend server is a 404 not found

 

If my above assumption is true , then you will have to create a rewrite policy that will look for www.website.com/Logout in the "response body" (not the request) and then replace http response to a 302 redirect .

[Marc Bouchard]

Indeed, it's a 404. the URL shown in the browser is still www.website.com/Logout, isn't that what the HTTP.REQ.URL.CONTAINS checks for? Even though the response was a 404, the request still went to the right place.

 

I'll give your suggestion a try! Thanks for that insight.

[Marc Bouchard]

Actually, I just created a dummy "Logout.html" file so there wouldn't be a 404 anymore and it just sits on the blank page...

[Marc Bouchard]

Progress! It seems to be doing what it's supposed to do now, however, the redirect is too fast, the "Initiate Logout" traffic policy doesn't have time to complete so I'm redirected to the home page of the site, which appears not to be logged out, but if I refresh, then I get back to the login prompt. 

 

Basically, I need to insert a delay in the redirect... Back to googling!

[Sanjith Abraham1709153204]

Hi Marc,

 

Good to know you made progress . The expressions you are using is only meant for the request part . Since only traffic policy is getting hit in the req. flow , the  way to make that redirect work is by modifying the response of backend server.

 

since you have created a logout page , you may want to add this into the html file :

<META HTTP-EQUIV="refresh" CONTENT="60;URL=https://appname.domainname.com/">

 

here content is the number of sec. before it refresh the page with the URL specified.

[Marc Bouchard]

Well, basically I had it working all along... The problem is that the Initiate Logout function is not instant, so the redirect would send me back to the root before the logout was processed, thus reactivating the session.

 

Our dev team didn't want to manage the logout portion at all since we were managing the cookies/session from the Netscaler.

 

So in the end, I ended up doing the refresh in client side code like above. Not at all what we wanted but it works.

 

Thanks everyone who chimed in to help!

[Adham Labib Ali]

Never too late for an anwser :

Actually in your responder just put this expression and it will work :

"HTTP/1.1 200 OK\n\r\n<body><meta http-equiv=\"refresh\" content=\"1;url=url_of_your_login_page\"><html>Logged out successfuly.<br/><img src=\"/cgi/tmlogout\" style=\"display: none;\" /><br/>Redirection in progress ...</html>"

[Marc Bouchard]

2 years later is a bit late :) I don't even work for them anymore lol :) But thanks for sharing that information, might come in handy for anyone else looking to do the same thing!

[Adham Labib Ali]

That's was the goal, I search for it since yesterday and I try to figure out myself, so sharing is always a good idea....

[Mariusz Orkisz]

Thank you alabib_826 !!! It works for me as well. Just testing and learning Netscaler TM and FormSSO and I have written small ASP.Net form based web page for this purpose. I have faced the same issue like Marc, fortunately it was only my lab, not a production issue. IMHO Citrix should prepare a better and more clear solution for this.

[Rakesh Verma]

On 12/1/2015 at 6:35 PM, Marc Bouchard said:

We are using the VPX with form-based authentication for external access to a web application.

 

User hits the website main URL, gets forwarded to authentication page, then back to main URL. 

 

The website has a "logout" button, that basically links to "www.mysite.com/logout".

 

Objective:

1. Delete the session cookies

2. Redirect back to the main url (back to authentication page).

 

I created a responder policy as follows:

Priority 100

Expression: HTTP.REQ.URL.CONTAINS("logout")

Action type: Redirect

Expression: "/"

 

This seems to work.

 

I created a traffic policy as follows:

Priority 150

Expression: HTTP.REQ.URL.CONTAINS("logout")

Traffic profile: AppTimeout 1

Initiate Logout is checked.

 

If I use only the traffic policy, it works. My session gets killed. But no redirect.

If I use only the responder policy, it seems to work (I see the new URL in the address bar).

If both are enabled, the traffic policy doesn't work anymore. I inverted priorities and no luck.

 

Kind of stuck with the logic on this one (still fairly new to netscalers).

 

Thanks for any insight!

 

Marc

Thanks Marc , i have created that responder policy & bind it to the CSVIP  & problem resolved .

[OM Kaewsaenchai]

On 12/1/2015 at 8:05 PM, Marc Bouchard said:

We are using the VPX with form-based authentication for external access to a web application.

 

User hits the website main URL, gets forwarded to authentication page, then back to main URL. 

 

The website has a "logout" button, that basically links to "www.mysite.com/logout".

 

Objective:

1. Delete the session cookies

2. Redirect back to the main url (back to authentication page).

 

I created a responder policy as follows:

Priority 100

Expression: HTTP.REQ.URL.CONTAINS("logout")

Action type: Redirect

Expression: "/"

 

This seems to work.

 

I created a traffic policy as follows:

Priority 150

Expression: HTTP.REQ.URL.CONTAINS("logout")

Traffic profile: AppTimeout 1

Initiate Logout is checked.

 

If I use only the traffic policy, it works. My session gets killed. But no redirect.

If I use only the responder policy, it seems to work (I see the new URL in the address bar).

If both are enabled, the traffic policy doesn't work anymore. I inverted priorities and no luck.

 

Kind of stuck with the logic on this one (still fairly new to netscalers).

 

Thanks for any insight!

 

Marc

I am having issues with one of the website logout like this, no matter how I use rewrite to Set-Cookie   NSC_TMAS   It never worked.  Seems New Netscale version said that rewrite module can not have access to AAA session cookies now.  So I just try Marc's  Traffic Policy/ Profile    IT works!  Thanks alot!