0

We are using COOKIEINSERT set to use session cookies with 4 servers behind the NetScaler. If i open the webpage, it loads OK. If i remove the NetScaler added cookie and refresh the page I am asked to login again (uses windows auth, NTLM). The caveat is providing the request happens to go to the same server it succeed. If it picks another server, it fails with the login.

The removal of that cookie isn't a likely scenario in normal circumstances. However, we have another application that makes requests to the API exposed by this same web app. If the cookie does not exist, the multiple AJAX requests that fire at roughly the same time may or may not work and each request may go to a different server (we have HTTP headers to see this is the case).

  1. Is the need to login again if that cookie is removed a fault?
  2. How does the NetScaler deal with a multiple request like this when i presume if has tried to set a persistent session to one server? Does it care that the same client is making/initiated requests to different servers? Despite it being a session cookie the NetScaler does some kind of tracking?
dmce
  • 111
  • 4

1 Answers1

1

First of all, the need to login again when the persistency cookie is removed, is all dependent on your application. If your application has a shared backend for user sessions, it shouldn't really matter on which backend server you arrive, as long as your user session is still valid.

Moreover, consider a server failure in the midst of a transaction which has multiple AJAX requests. At that time, the NetScaler will also direct the next requests to the following available backend server.

Next, consider the scenario that multiple AJAX calls are being sent. In the case that your webpage is being served from the same backend servers, the client will already have a cookie available. (The AJAX calls will not fire until the HTML/JS code calling them is loaded in the browser, implicating that there has already been a response and a cookie has been set).

I'm not sure if this answers your second question completely?

Jan
  • 121
  • 3
  • I made a mistake using the term login. Its more authentication as it happens transparently as on an intranet. User has domain login, therefore authenticates. The scenario of the failure would be ok providing the authentication worked. The last scenario in your answer would also be partially resolved as all calls would work (although html/js is not same backend). I guess the timing of 3 requests at once could only be sent to same back end if it wasnt Netscaler cookies and some tracking on Netscaler itself? – dmce Feb 22 '17 at 07:10
  • You could play around by adding a specific header to your request, specifying a server id. The server id should match what you have configured in the service group binding of a member server. However, you would lose the NetScaler's ability to dynamically select the best available backend server. – Jan Feb 22 '17 at 08:47