3

Our client has this little LAN with reception terminals where they stream Chrome web browser through Citrix XenApp. Why? I don't know. And it’s weird, but this tandem seems to spoil the data they submit on our sites forms. Some things that physically can not get cached — get cached somewhere in this XenApp thing.

It’s a very important bug for us, because we manage payment processing and it is cashing sensitive cardholder data, which is sooo non PCI DDS compatible!

We’ve told them to install normal Chrome browsers to the end machines, and they say they did. But next day — same issue happens. Then they say — “oh, it was one of the old machines with Citrix XenApp again.” Meh! Now maybe a week passes and we get same issue again, but they claim that they don’t use XenApp anymore, it’s a normal local Chrome.

I don’t believe them. But how can we prove them wrong?

TL;DR: is it possible to detect if:

  1. A site visitor used normal local Chrome browser or
  2. Visited under a Chrome browser streamed through Citrix XenApp?

Here’s an example of USER_AGENT we're getting:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36

It looks like a totally normal Chrome build. Tried to look through HTTP headers and there is nothing really special there.

Is there a way to determine this, even theoretically?

  1. Our application stack is LAMP, thus the PHP tag.
  2. Please don’t suggest that it’s our software bug. We have hundreds of clients, millions of transactions and this situation happens only with this Citrix XenApp crazy client.

EDIT: this is not a duplicate! Here I'm talking about a website running in browser, and server-side scripting. Not about a windows application with APIs and DLLs

Oleg Dubas
  • 2,285
  • 1
  • 8
  • 24
  • 1
    Why not set up a free trial of the XenApp and test it yourself? That might be a good start? – DannyThunder Jan 26 '15 at 14:51
  • @DannyThunder, it's a good advice (would be, if I wouldn't have thought about it already), but, unfortunately, not an answer. – Oleg Dubas Jan 26 '15 at 15:02
  • Didnt post as answer, posted as comment. What have you tested? Just checking headers? Maby check how things are cached too? – DannyThunder Jan 26 '15 at 15:15
  • Please explain your thought about caching – Oleg Dubas Jan 29 '15 at 14:58
  • Your question is very odd. How do you find out that some data are cached on their side, anyway? – Tomas M Jan 29 '15 at 17:28
  • Because they are sending card data for card present transactions, which was sent a day ago, creating a duplicate charge on customers cards. They swipe new cards, but our system receives old cards data. This is not the question, though. The question is how to detect XenApp – Oleg Dubas Jan 29 '15 at 18:37
  • If I understand what XenApp is correctly, your options are limited, because it is a real Chrome running virtualized on a remote server. The only idea that comes to mind is IP address or JS geolocation. – Alexander O'Mara Jan 30 '15 at 01:15
  • Add into HTTP header "CitrixAPP" to WTOS ini. – Marin Sagovac Jan 31 '15 at 20:37
  • Possible duplicate of [API for Determining if App is Running on Citrix or Terminal Services](http://stackoverflow.com/questions/4186153/api-for-determining-if-app-is-running-on-citrix-or-terminal-services) – Paul Sweatte Nov 27 '15 at 12:04
  • @PaulSweatte: No it is not a duplicate. Here I was talking about a website running in browser, and server-side scripting. Not about a windows application with APIs and DLLs – Oleg Dubas Nov 28 '15 at 16:45

4 Answers4

3

Short answer: you really can't.. XenApp is, for all intents and purposes, remote desktop. In fact at one point Microsoft RDP and Citrix were the same codebase licensed back and forth.

Longer answer: When you launch Chrome via XenApp, Chrome is actually launched on the server. The display is then captured, redirected, and streamed to the client over ICA. The reason you can't tell with headers or HTTP traffic in general whether or not the user is running XenApp is that from a Chrome<->Webserver perspective (or any application really), nothing really changes. The only delta is in where the UI gets rendered.

One thing I should mention is that if someone's running XenApp in a large-ish install, they probably have some NetScalers kicking around. If so, those can do all kinds of strange HTTP caching, so you may be looking in the wrong place for an explanation of your caching issues..

XeroxDucati
  • 4,880
  • 1
  • 28
  • 63
  • Thank you for mentioning NetScaler, I wasn't familiar with this app. Will investigate further, throwing this bone into the fire. One more idea though: if this chrome app is "shared" among several users. Do you think it's cookies are shared, too? It could give me a possibility to throw some individual cookies and if they intersect I could guess they share same Chrome via XenApp. What do you think? – Oleg Dubas Feb 02 '15 at 03:31
  • If it were shared, that would certainly work, but unfortunately it's not.. Every user/stream gets a new instance of the app, in it's own sandbox -- even if you went to the trouble of writing a chrome plugin of some sort, it wouldn't work, you'd just get multiple independent instances that aren't aware of eachother. – XeroxDucati Feb 02 '15 at 13:16
  • Thank you for your input! – Oleg Dubas Feb 02 '15 at 14:13
  • Just some extra info, although it doesn't change the answer (you can't). The question explicitly says "streamed", and XenApp does have a separate streaming feature (however it isn't used very often). If your client is using app streaming then the app is being physically downloaded to the terminal and executed locally in a sandbox. I.e. it doesn't run on the XenApp server. – donovan Feb 04 '15 at 06:02
1

Personally i am not familiar with Citrix XenApp but taken from here http://www.citrix.com/products/xenapp/how-it-works/application-virtualization.html is the way Citrix XenApp works.

Understanding application virtualization Citrix application virtualization technology isolates applications from the underlying operating system and from other applications to increase compatibility and manageability. As a modern application delivery solution, XenApp virtualizes applications via integrated application streaming and isolation technology. This application virtualization technology enables applications to be streamed from a centralized location into an isolation environment on the target device where they will execute. With XenApp, applications are not installed in the traditional sense. The application files, configuration, and settings are copied to the target device and the application execution at run time is controlled by the application virtualization layer. When executed, the application run time believes that it is interfacing directly with the operating system when, in fact, it is interfacing with a virtualization environment that proxies all requests to the operating system. XenApp is unique in that it is a complete system for virtual application delivery, offering both online and offline application access through a combination of application hosting and application streaming directly to user devices. When users request an application, XenApp determines if their device is compatible and capable of running the application in question. The minimum requirements of a target device are a compatible Windows® operating system and appropriate Citrix client software. If the user device meets minimum requirements, then XenApp initiates application virtualization via application streaming directly into an isolated environment on the user’s device. In the event that the user device is not capable of running a particular application, XenApp initiates session virtualization.

Prevent caching in your htaccess file.

Header set Cache-Control "private, max-age=0, no-cache, no-store, must-revalidate" env=NO_CACHE

In case you want to prevent caching on certain file types try for example:

  <FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
    Header set Cache-Control "private, max-age=0, no-cache, no-store, must-revalidate" env=NO_CACHE
    </FilesMatch>
  • My answer is based on the fact that Citrix XenApp is working as a proxy (of some sort), and from a relative question regarding caching http://stackoverflow.com/questions/3456726/how-to-disable-proxy-caching-with-htaccess –  Feb 02 '15 at 13:19
1

Check for Citrix specific HTTP headers:

  • X-Citrix-Gateway
  • X-Citrix-Via

and a proxy header:

  • X-Forwarded-For

and Citrix specific cookies:

  • WIUser=
  • WINGDevice=
  • WINGSession=
  • WIClientInfo=

and Citrix specific SSL errors:

  • SSL Error 61
  • SSL Error 75
  • SSL Error 74

References

Paul Sweatte
  • 22,871
  • 7
  • 116
  • 244
0

You can detect them using their IP address possibly. If they will use the XenApp their IP will be different than the local lan.

LearningToCode
  • 551
  • 1
  • 9
  • 21
  • I am not sure. If the entire LAN has same single API address, then XenApp server within that LAN will have same IP address. We always get same IP address from them, no matter how they connect, its one single hospital building with the only IP address. – Oleg Dubas Feb 02 '15 at 13:07