Reference: Session variables

What is a session variable?

An Access policy stores the values that actions return in session variables. A session variable contains a number or string that represents a specific piece of information. This information is organized in a hierarchical arrangement and is stored as the user’s session data.

Session variables can be useful in access policies to achieve various results, including:

  • Customizing access rules or defining your own access policy rules.

  • Providing different outcomes for policies based on the values in the session variables.

  • Determining which resources to assign to users.

How Access constructs session variable names

Session variables for authenticating Active Directory and querying BIG-IP Next Access are named in the following manner:

  •{username}.queryresult = query result (0 = failed, 1=passed)

  •{username}.authresult = authentication result (0 = failed, 1=passed)

  •{username}.attr.{attr_name} = the name of an attribute retrieved during the Active Directory query. Each retrieved attribute is converted to a separate session variable.

Attributes assigned to a user on the AAA server are specific to that server, and not to BIG-IP Next Access.

Session variables

The following table gives a list of default session variables and its related information.

Session variable Description Example
session.access.profile Specifies the BIG-IP Next Access policy name. "samlsp"
session.access.profile_name Specifies the BIG-IP Next Access profile name. "my_access_policy"
session.access.profileid Specifies the BIG-IP Next Access policy ID that was created when you configured the policy. "924ce854-a9a2-43b5-bada-39a32846f6fa"
session.access.profiletype Specifies the profile type.
session.access.scope Specifies the scope of an access profile.
0: User can access resources behind the same access profile.
1: User can access resources behind the same virtual server.
2: User can access resources behind any access profile with global scope.
session.assigned.uuid Specifies the name of the UUID assigned to the session. "f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
session.client.activex Specifies whether the client is capable of running ActiveX controls.
1: Yes
0: No
session.client.browscap_info Specifies the browser information presented. "uimode=0&ctype=Mozilla&cversion=1&
session.client.js Specifies whether the device used Web Logon mode to log on.
1: Yes
0: No
session.client.platform Specifies the client platform as determined by HTTP headers. "MacOS"
session.client.plugin Specifies whether the client has plugin support.
1: Yes
0: No
session.client.type Specifies the client browser type. "Mozilla"
session.client.version Specifies the client protocol version. "1"
session.createdfrom "ACCESS"
session.edgeclient.scripting.logoff.params Specifies variables that are passed by Access to the client devices.
session.inactivity_timeout Specifies the inactivity timeout currently assigned to the session. "600"
session.keydb.current "532a43389615110f459da9d2adbb118e" "fdcdb63fd9a1a6066d32624fadbb118e"
session.ldap.last.attr.$attr_name Specifies the user's attributes received during the LDAP query. Each attribute is converted to separate session variables.
session.ldap.last.errmsg Specifies an error message for the last error generated for LDAP.
session.ldap.last.errmsgext Specifies an extended error information for the last error message generated for LDAP.
session.ldap.last.queryresult Specifies the result of the LDAP query.
1: Passed
0: Failed
session.logon.last.username Specifies the logon name used to start a session. "joe" Specifies the error code for login attempts on the logon page. "0"
session.max_session_timeout Specifies the maximum session timeout currently assigned to the session. "2000"
session.policy.result Specifies the result of the access policy. "not_started"
session.policy.result.policy_path Specifies the path that the policy session follows including the branches and items. "
session.server.landinguri Specifies the landing URI Specifies the application name. Specifies the application stack name.
session.server.listener.ext_name Specifies the extended application stack name. Specifies the application stack object, to which the access profile is attached. "samlapp" "" "80" "http"
session.state Specifies the state of the session. When the value is allow, the session status is "established", else it is "pending". "established" / "allow" Specifies the session stats bytes-in reported. "0"
session.stats.bytes.out Specifies the session stats bytes-out reported. "0"
session.ui.mode Specifies the UI mode, as determined by HTTP headers. Available values are:
0 - Full Browser
6 - Pocket PC (browser)
7 - Standalone Client (clientless mode, no support for endpoint inspection; not Edge Client)
8 - ActiveSync Client
9 - Mobile Browser (smart phone)
10 - Citrix Receiver
session.user.clientip Specifies the client IP address associated with a session. ""
session.user.display_sessionid "0f2261af"
session.user.expirationtime Specifies the expiration time for the session. When you retrieve session data for a specific session, the expiration time is displayed in an epoch time format. "2022-06-07T02:18:29Z" / "1654568309"
session.user.sessionid Specifies the Session ID of each session. "fd793008"
session.user.sessiontype Specifies the user session type. "ltm_access"
session.user.starttime Specifies the start time of the session. When you retrieve session data for a specific session, the start time is displayed in an epoch time format. "2022-06-07T00:38:29Z" / "1654562309"
Specifies the user attributes for the session. "joe"