The idea we got was to stop exposing the cookie to the user and only add it so that the backend sees it using a rewrite. The second thing we also want to do is remove this cookie so even though the user has the cookie, it will never be sent to the backend.
The solution is quite simple and looks like this:
add rewrite action RWA-REQ-USERNAME_COOKIE-CREATE insert_http_header Cookie "\"username=\" + HTTP.REQ.USER.NAME + \"; \""
add rewrite action RWA-REQ-USERNAME_COOKIE-DELETE delete_all "HTTP.REQ.HEADER(\"Cookie\")" -search "regex(re~((^(?i)(username)=.*?;\\s*)|(\\s(?i)(username)=.*?;\\s*))~)"
add rewrite action RWA-REQ-USERNAME_COOKIE-INSERT insert_after "HTTP.REQ.HEADER(\"Cookie\")" "\" username=\" + HTTP.REQ.USER.NAME + \"; \""
add rewrite policy RWP-REQ-USERNAME_COOKIE-NORW true NOREWRITE
add rewrite policy RWP-REQ-USERNAME_COOKIE-CREATE "HTTP.REQ.HEADER(\"Cookie\").EXISTS.NOT" RWA-REQ-USERNAME_COOKIE-CREATE
add rewrite policy RWP-REQ-USERNAME_COOKIE-DELETE "HTTP.REQ.HEADER(\"Cookie\").EXISTS" RWA-REQ-USERNAME_COOKIE-DELETE
add rewrite policy RWP-REQ-USERNAME_COOKIE-INSERT "HTTP.REQ.HEADER(\"Cookie\").EXISTS" RWA-REQ-USERNAME_COOKIE-INSERT
add rewrite policylabel RWPL-REQ-USERNAME_COOKIE http_req
bind rewrite policylabel RWPL-REQ-USERNAME_COOKIE RWP-REQ-USERNAME_COOKIE-CREATE 100 END
bind rewrite policylabel RWPL-REQ-USERNAME_COOKIE RWP-REQ-USERNAME_COOKIE-DELETE 110 NEXT
bind rewrite policylabel RWPL-REQ-USERNAME_COOKIE RWP-REQ-USERNAME_COOKIE-INSERT 120 END
bind lb vserver <vServer Name> -policyName RWP-REQ-USERNAME_COOKIE-NORW -priority 100 -gotoPriorityExpression END -type REQUEST -invoke policylabel RWPL-REQ-USERNAME_COOKIE
From my initial tests, this will remove all cookies named ”username” (case insensitive) and add a new one with values from NetScaler AAA. If the user isn’t sending any Cookie-header at all, we’ll add one as well.
Seems to work very well!
Have you done this in any other way? Feel free to post how you did it.