Securing Citrix ADC persistent cookies

Why securing Citric ADC cookies ?

If the associated risk of a compromised Citrix gateway account is high, apply the “secure” attribute to cookies and force all sensitive requests to be sent via HTTPS. From Citrix Netscaler release 10.5 build 55.8, you can encrypt the cookie in addition to securing the connection with SSL encryption.

The following are the cookies being set after login by the Citrix Gateway:

Set-Cookie: NSC\_TMAA=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT  
Set-Cookie: NSC\_TMAS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure

NSC_TMAA is the equivalent of the NSC_TMAS and is sent without the secure flag for the client to use it over HTTP [Plain Text] if required. When the user is authenticated on Citrix ADC, these 2 cookies will be set. These 2 cookies are important, since they verify that the user is authenticated.

The above Set-Cookie response is as per design of the Citrix ADC and hence it is an expected behavior.

Instructions for securing Citrix ADC cookies

Objective :Denying Citrix ADC Persistent Cookies from Being Decoded

Instructions : To encrypt the cookie by using the configuration utility, navigate to Traffic Management > Change Load Balancing Parameters, and select Use Secured Persistence Cookie and Cookie Passphrase and enter a passphrase. You can also use the following CLI command.

set lb parameter -useSecuredPersistenceCookie ENABLED -cookiePassphrase <Any String Name>

Example :

set lb parameter -useSecuredPersistenceCookie ENABLED -cookiePassphrase test