Session variable reference¶
What is a session variable?¶
An Access policy stores the values that actions return in session variables. A session variable contains a number or string that represents a specific piece of information. This information is organized in a hierarchical arrangement and is stored as the user’s session data.
The Current Sessions report in the Access Policy Manager Reports area displays all session variables for a session. Session variables can be useful in access policies to achieve various results, including:
Customizing access rules or defining your own access policy rules.
Providing different outcomes for policies based on the values in the session variables.
Determining which resources to assign to users (with the Resource Assign action).
Session variables for authenticating Active Directory and querying BIG-IP Next Access are named in the following manner:
session.ad.{username}.queryresult = query result (0 = failed, 1=passed)
session.ad.{username}.authresult = authentication result (0 = failed, 1=passed)
session.ad.{username}.attr.{attr_name} = the name of an attribute retrieved during the Active Directory query. Each retrieved attribute is converted to a separate session variable.
Attributes assigned to a user on the AAA server are specific to that server, and not to Access Policy Manager.
Session variables information¶
This table lists session variables and related reference information. Note that the $name syntax is the agent name, and BIG-IP Next generates the name automatically.
Action Item | Session Variable | Type | Description |
---|---|---|---|
Denied Ending | session.policy.result | String | Access policy result: the access policy ended at Deny. The value is access_denied. |
Redirect Ending | session.policy.result | String | Access policy result: the access policy ended at Redirect. The value is redirect. |
N/A | session.policy.result.redirect.url | String | URL specified in the redirect, for example, http://www.siterequest.com. |
Allowed Ending | session.policy.result | String | Access policy result: the access policy ended at Allow. The value is allowed. |
N/A | session.policy.result.webtop.network_access.autolaunch | String | Name of the resource that is automatically started for a network access webtop. |
N/A | session.policy.result.webtop.type | String | Type of webtop resource: network_access or web_application. |
Session management | session.ui.mode | Enum | UI mode, as determined by HTTP headers. UI mode reflects the protocol that the client used to communicate with the server during Access session establishment and access policy execution. UI mode does not directly map to client type (session.client.type). For example, when BIG-IP Edge Client uses a web browser component to establish a session, the session.ui.mode is set to 0 (Full Browser). Values: 0: Full Browser 6: Pocket PC (browser) 7: Standalone Client (clientless mode, no support for endpoint inspection; not Edge Client) 8: ActiveSync Client 9: Mobile Browser (smart phone) 10: Citrix Receiver |
N/A | session.ui.lang | String | Language in use in the session, for example "en" (English). |
N/A | session.ui.charset | String | Character set used in the session. |
N/A | session.client.type | Enum | Client type as determined by HTTP headers: portalclient or "Standalone" (Edge Client). |
N/A | session.client.version | String | N/A |
N/A | session.client.jailbreak | Bool | Mobile device is jailbroken/rooted: 0: No 1: Yes |
N/A | session.client.activex | Bool | Client is capable of running ActiveX Controls: 0: No 1: Yes |
N/A | session.client.plugin | Bool | N/A |
N/A | session.client.platform | String | Client platform as determined by HTTP headers: "Android" "ChromeOS" "iOS" "Linux"" "MacOS" "Win10" "Win2k" "Win2k" "Win7" "Win8.1" "Win8" "WindowsPhone" "WinLH" "WinNT" "WinVI"" "WinXP" |
N/A | session.user.access_mode | String | Enables direct access to a Citrix resource from the webtop. Example: local. |
Active Directory action | session.ad.$name.queryresult | Bool | 0 or 1. 0: Active Directory query failed 1: Active Directory query passed |
N/A | session.ad.$name.authresult | Bool | 0 or 1. 0: Active Directory authentication failed 1: Active Directory authentication passed |
N/A | session.ad.$name.attr.$attr_name | String | Users attributes retrieved during Active Directory query. Each attribute is converted to a separate session variable. |
N/A | session.ad.$name.attr.group.$attr_name | String | User's group attributes retrieved during Active Directory query. Each group attribute is converted to a separate session variable. |
Advanced Resource Assign | session.assigned.bwc.dynamic | String | Name of the assigned dynamic bandwidth control policy. |
N/A | session.assigned.bwc.static | String | Name of the assigned static bandwidth control policy. |
Client certificate authentication | session.ssl.cert.x509extension | String | X509 extensions. |
N/A | session.ssl.cert.valid | String | Certificate result: OK or error string. |
N/A | session.ssl.cert.exist | Integer | 0 or 1. 0: Certificate does not exist 1: Certificate exists |
N/A | session.ssl.cert.version | String | Certificate version |
N/A | session.ssl.cert.subject | String | Certificate subject field |
N/A | session.ssl.cert.serial | String | Certificate serial number |
N/A | session.ssl.cert.end | String | Validity end date |
N/A | session.ssl.cert.start | String | Validity start date |
N/A | session.ssl.cert.issuer | String | Certificate issuer |
N/A | session.ssl.cert.whole | String | The whole certificate |
Decision box | session.decision_box.last.result | Integer | 0 or 1. 0: User chooses option 2 on the decision page, which corresponds to the fallback rule branch in the action. 1: User chooses option 1 on the decision page. |
Encryption of client hard disk | session.check_software.last.hd.item_1.state Currently, there is no session variable available to represent the status of the System Drive Encrypted state. |
Bool | 0 or 1. 0: Not all drive encrypted. 1: All drive encrypted. |
N/A | session.check_software.last.hd.state | Bool | Unused session variable; always shows the value 0. |
File check | session.windows_check_file.$name.item_0.exist | String | True - if all files exist on the client. |
N/A | session.windows_check_file.$name.item_0.result | Integer | Set when files on the client meet the configured attributes. |
N/A | session.windows_check_file.$name.item_0.md5 | String | MD5 value of a checked file. |
N/A | session.windows_check_file.$name.item_0.version | String | Version of a checked file. |
N/A | session.windows_check_file.$name.item_0.size | Integer | File size, in bytes. |
N/A | session.windows_check_file.$name.item_0.modified | N/A | Date the file was modified in UTC form. |
N/A | session.windows_check_file.$name.item_0.signer | N/A | File signer information. |
LDAP action | session.ldap.$name.authresult | Bool | 0 or 1. 0: LDAP authentication failed 1: LDAP authentication passed |
N/A | session.ldap.$name.attr.$attr_name | String | Users attributes retrieved during LDAP query. Each attribute is converted to a separate session variable. |
N/A | session.ldap.$name.queryresult | Bool | 0 or 1. 0: LDAP query failed 1: LDAP query passed |
Logon Page (CAPTCHA challenge) | session.logon.captcha.tracking | Unsigned Integer | A bitmask used when CAPTCHA is enabled. Bit in 0 position: Track successful and unsuccessful logon attempts by IP address. Bit in 1 position: Track successful and unsuccessful logon attempts by user name. This variable should not be used by external modules because it is intended for very specific purposes. |
Machine Cert Auth | session.check_machinecert.last.result | Integer | 0, 1, 2, or -2. 0: Neither certificate nor private key found. 1: Both certificate and private key found. 2: Certificate found, but private key not found. -2: Various errors, such as: Nothing received from client. Data received is not in correct format. Incorrect configuration. (For example, CA profile is not configured). Linux client is trying to access the agent. The Machine Cert Auth action is not supported on Linux. |
OTP Generate | session.otp.assigned.val | String | Generated one-time password value to send to the end user. Example message: One-Time Passcode: %{session.otp.assigned.val} |
N/A | session.otp.assigned.expire | String | Internally used timestamp; OTP expiration in seconds since this date and time: (00:00:00 UTC, January 1, 1970) |
N/A | session.otp.assigned.ttl | String | OTP time-to-live; configurable as OTP timeout in seconds. Example message: OTP expires after use or in %{session.otp.assigned.ttl} seconds |
OTP Verify | session.otp.verify.last.authresult | Bool | 0 or 1. 0: OTP authentication failed 1: OTP authentication passed |
RADIUS action | session.radius.$name.authresult | Bool | 0 or 1. 0: RADIUS authentication failed 1: RADIUS authentication passed |
N/A | session.radius.$name.attr.$attr_name | String | User attributes retrieved during RADIUS authentication. Each attribute is converted to a separate session variable. |
Resource allocation | session.assigned.resources.at | String | Space-delimited list of names of assigned App tunnel resources. |
N/A | session.assigned.resources.na | String | Space-delimited list of names of assigned Network Access resources. |
N/A | session.assigned.resources.pa | String | Space-delimited list of names of assigned Portal Access resources. |
N/A | session.assigned.resources.rd | String | Space-delimited list of names of assigned remote desktop resources. |
N/A | session.assigned.resources.saml | String | Space-delimited list of names of assigned SAML resources. |
N/A | session.assigned.webtop | String | Name of the assigned webtop. |
Windows Info | session.windows_info_os.$name.ie_version | String | Stores the Internet Explorer version |
N/A | session.windows_info_os.$name.ie_updates | String | List of installed SP and KB fixes for Internet Explorer. For example: "¦SP2¦KB12345¦KB54321¦" |
N/A | session.windows_info_os.$name.platform | String | Platform. "Win7" - Windows 7 "Win8" - Windows 8 "WinVI" - Windows "WinXP" - Windows XP "Win2003" - Windows 2003 Server "WinLH" - Windows 2008 |
N/A | session.windows_info_os.$name.updates | String | List of installed SP and KB fixes for Windows. For example, "¦SP2¦KB12345¦KB54321¦" |
N/A | session.windows_info_os.$name.user | String | List of current Windows user names |
N/A | session.windows_info_os.$name.computer | String | List of computer names |
Windows Process | session.windows_check_process.$name.result | Integer | 0, 1, or -1. 0: Failure 1: Success -1: Invalid check expression |
Windows Registry | session.windows_check_registrys.$name.result | Integer | 0, 1, or -1. 0: Failure 1: Success -1: Invalid check expression |