Reference: Session variables¶
What is a session variable?¶
An Access policy stores the values that actions return in session variables. A session variable contains a number or string that represents a specific piece of information. This information is organized in a hierarchical arrangement and is stored as the user’s session data.
Session variables can be useful in access policies to achieve various results, including:
Customizing access rules or defining your own access policy rules.
Providing different outcomes for policies based on the values in the session variables.
Determining which resources to assign to users.
Session variables for authenticating Active Directory and querying BIG-IP Next Access are named in the following manner:
session.ad.{username}.queryresult = query result (0 = failed, 1=passed)
session.ad.{username}.authresult = authentication result (0 = failed, 1=passed)
session.ad.{username}.attr.{attr_name} = the name of an attribute retrieved during the Active Directory query. Each retrieved attribute is converted to a separate session variable.
Attributes assigned to a user on the AAA server are specific to that server, and not to BIG-IP Next Access.
Session variables¶
The following table gives a list of default session variables and its related information.
Session variable | Description | Example |
---|---|---|
session.access.named_scope | ||
session.access.profile | Specifies the BIG-IP Next Access policy name. | "samlsp" |
session.access.profile_name | Specifies the BIG-IP Next Access profile name. | "my_access_policy" |
session.access.profileid | Specifies the BIG-IP Next Access policy ID that was created when you configured the policy. | "924ce854-a9a2-43b5-bada-39a32846f6fa" |
session.access.profiletype | Specifies the profile type. 1: 0: | "1" |
session.access.scope | Specifies the scope of an access profile. 0: User can access resources behind the same access profile. 1: User can access resources behind the same virtual server. 2: User can access resources behind any access profile with global scope. | "0" |
session.assigned.uuid | Specifies the name of the UUID assigned to the session. | "f81d4fae-7dec-11d0-a765-00a0c91e6bf6" |
session.client.activex | Specifies whether the client is capable of running ActiveX controls. 1: Yes 0: No | "0" |
session.client.browscap_info | Specifies the browser information presented. | "uimode=0&ctype=Mozilla&cversion=1&cjs=1&cactivex=0&cplugin=1&cplatform=MacOS&cpu=unknown&ccustom_protocol=1" |
session.client.cpu | ||
session.client.custom_protocol | ||
session.client.js | Specifies whether the device used Web Logon mode to log on. 1: Yes 0: No | "1" |
session.client.platform | Specifies the client platform as determined by HTTP headers. | "MacOS" |
session.client.plugin | Specifies whether the client has plugin support. 1: Yes 0: No | "1" |
session.client.type | Specifies the client browser type. | "Mozilla" |
session.client.version | Specifies the client protocol version. | "1" |
session.createdfrom | "ACCESS" | |
session.edgeclient.scripting.logoff.params | Specifies variables that are passed by Access to the client devices. | |
session.ha_unit | ||
session.inactivity_timeout | Specifies the inactivity timeout currently assigned to the session. | "600" |
session.keydb.current | "532a43389615110f459da9d2adbb118e" | |
session.keydb.final | "fdcdb63fd9a1a6066d32624fadbb118e" | |
session.ldap.last.attr.$attr_name | Specifies the user's attributes received during the LDAP query. Each attribute is converted to separate session variables. | |
session.ldap.last.errmsg | Specifies an error message for the last error generated for LDAP. | |
session.ldap.last.errmsgext | Specifies an extended error information for the last error message generated for LDAP. | |
session.ldap.last.queryresult | Specifies the result of the LDAP query. 1: Passed 0: Failed | |
session.logon.last.username | Specifies the logon name used to start a session. | "joe" |
session.logon.page.errorcode | Specifies the error code for login attempts on the logon page. | "0" |
session.max_session_timeout | Specifies the maximum session timeout currently assigned to the session. | "2000" |
session.policy.result | Specifies the result of the access policy. | "not_started" |
session.policy.result.policy_path | Specifies the path that the policy session follows including the branches and items. | " |
session.server.landinguri | Specifies the landing URI | |
session.server.listener.application.name | Specifies the application name. | |
session.server.listener.application_stack.name | Specifies the application stack name. | |
session.server.listener.ext_name | Specifies the extended application stack name. | |
session.server.listener.name | Specifies the application stack object, to which the access profile is attached. | "samlapp" |
session.server.network.name | "10.101.201.220" | |
session.server.network.port | "80" | |
session.server.network.protocol | "http" | |
session.snapshotid | ||
session.state | Specifies the state of the session. When the value is allow, the session status is "established", else it is "pending". | "established" / "allow" |
session.stats.bytes.in | Specifies the session stats bytes-in reported. | "0" |
session.stats.bytes.out | Specifies the session stats bytes-out reported. | "0" |
session.stats.egress.compressed | ||
session.stats.egress.raw | ||
session.stats.ingress.compressed | ||
session.stats.ingress.raw | ||
session.stats.packets.in | ||
session.stats.packets.out | ||
session.timeout | ||
session.ui.lang | ||
session.ui.mode | Specifies the UI mode, as determined by HTTP headers. Available values are: 0 - Full Browser 6 - Pocket PC (browser) 7 - Standalone Client (clientless mode, no support for endpoint inspection; not Edge Client) 8 - ActiveSync Client 9 - Mobile Browser (smart phone) 10 - Citrix Receiver | "0" |
session.user.agent | ||
session.user.clientip | Specifies the client IP address associated with a session. | "102.12.12.10" |
session.user.display_sessionid | "0f2261af" | |
session.user.expirationtime | Specifies the expiration time for the session. When you retrieve session data for a specific session, the expiration time is displayed in an epoch time format. | "2022-06-07T02:18:29Z" / "1654568309" |
session.user.sessionid | Specifies the Session ID of each session. | "fd793008" |
session.user.sessiontype | Specifies the user session type. | "ltm_access" |
session.user.starttime | Specifies the start time of the session. When you retrieve session data for a specific session, the start time is displayed in an epoch time format. | "2022-06-07T00:38:29Z" / "1654562309" |
session.logon.last.username session.logon.last.logonname subsession.logon.last.username session.saml.last.identity session.oauth.client.last.id_token subsession.oauth.client.last.id_token |
Specifies the user attributes for the session. | "joe" |