How to detect if a site visitor is browsing the site through Citrix XenApp?

Question

Our client has this little LAN with reception terminals where they stream Chrome web browser through Citrix XenApp. Why? I don't know. And it’s weird, but this tandem seems to spoil the data they submit on our sites forms. Some things that physically can not get cached — get cached somewhere in this XenApp thing.

It’s a very important bug for us, because we manage payment processing and it is cashing sensitive cardholder data, which is sooo non PCI DDS compatible!

We’ve told them to install normal Chrome browsers to the end machines, and they say they did. But next day — same issue happens. Then they say — “oh, it was one of the old machines with Citrix XenApp again.” Meh! Now maybe a week passes and we get same issue again, but they claim that they don’t use XenApp anymore, it’s a normal local Chrome.

I don’t believe them. But how can we prove them wrong?

TL;DR: is it possible to detect if:

1. A site visitor used normal local Chrome browser or
2. Visited under a Chrome browser streamed through Citrix XenApp?

Here’s an example of USER_AGENT we're getting:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36

It looks like a totally normal Chrome build. Tried to look through HTTP headers and there is nothing really special there.

Is there a way to determine this, even theoretically?

1. Our application stack is LAMP, thus the PHP tag.
2. Please don’t suggest that it’s our software bug. We have hundreds of clients, millions of transactions and this situation happens only with this Citrix XenApp crazy client.

EDIT: this is not a duplicate! Here I'm talking about a website running in browser, and server-side scripting. Not about a windows application with APIs and DLLs

Answer 1

Check for Citrix specific HTTP headers:

• X-Citrix-Gateway
• X-Citrix-Via

and a proxy header:

• X-Forwarded-For

and Citrix specific cookies:

• WIUser=
• WINGDevice=
• WINGSession=
• WIClientInfo=

and Citrix specific SSL errors:

• SSL Error 61
• SSL Error 75
• SSL Error 74

References

• Archive: ICA Client Selection and other Web Interface Preferences

• Archive: Access Gateway Enterprise Edition - Set Cookie not Sent to Requesting Host through Clientless VPN

• XenApp and XenDesktop Authentication (ppt)

• Citrix Client SSL Error Codes

• Error: "The server certificate received is not trusted (SSL Error 61)" for Receiver Users

• How to Extract the SSL Session ID from an HTTP Request and Insert the SSL Session ID into a Custom HTTP Header

• Case Study: Cookie Does Not Expire for Some Mobile Users

• How Citrix Application Firewall Modifies Application Data Traffic

Answer 2

Personally i am not familiar with Citrix XenApp but taken from here http://www.citrix.com/products/xenapp/how-it-works/application-virtualization.html is the way Citrix XenApp works.

Understanding application virtualization Citrix application virtualization technology isolates applications from the underlying operating system and from other applications to increase compatibility and manageability. As a modern application delivery solution, XenApp virtualizes applications via integrated application streaming and isolation technology. This application virtualization technology enables applications to be streamed from a centralized location into an isolation environment on the target device where they will execute. With XenApp, applications are not installed in the traditional sense. The application files, configuration, and settings are copied to the target device and the application execution at run time is controlled by the application virtualization layer. When executed, the application run time believes that it is interfacing directly with the operating system when, in fact, it is interfacing with a virtualization environment that proxies all requests to the operating system. XenApp is unique in that it is a complete system for virtual application delivery, offering both online and offline application access through a combination of application hosting and application streaming directly to user devices. When users request an application, XenApp determines if their device is compatible and capable of running the application in question. The minimum requirements of a target device are a compatible Windows® operating system and appropriate Citrix client software. If the user device meets minimum requirements, then XenApp initiates application virtualization via application streaming directly into an isolated environment on the user’s device. In the event that the user device is not capable of running a particular application, XenApp initiates session virtualization.

Prevent caching in your htaccess file.

Header set Cache-Control "private, max-age=0, no-cache, no-store, must-revalidate" env=NO_CACHE

In case you want to prevent caching on certain file types try for example:

  <FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
    Header set Cache-Control "private, max-age=0, no-cache, no-store, must-revalidate" env=NO_CACHE
    </FilesMatch>

Answer 3

You can detect them using their IP address possibly. If they will use the XenApp their IP will be different than the local lan.

Answer 4

Short answer: you really can't.. XenApp is, for all intents and purposes, remote desktop. In fact at one point Microsoft RDP and Citrix were the same codebase licensed back and forth.

Longer answer: When you launch Chrome via XenApp, Chrome is actually launched on the server. The display is then captured, redirected, and streamed to the client over ICA. The reason you can't tell with headers or HTTP traffic in general whether or not the user is running XenApp is that from a Chrome<->Webserver perspective (or any application really), nothing really changes. The only delta is in where the UI gets rendered.

One thing I should mention is that if someone's running XenApp in a large-ish install, they probably have some NetScalers kicking around. If so, those can do all kinds of strange HTTP caching, so you may be looking in the wrong place for an explanation of your caching issues..