Manual Chapter : About per-session and per-request policies

Applies To:

Show Versions Show Versions


  • 15.0.1, 15.0.0
Manual Chapter

About per-session and per-request policies

Access Policy Manager (APM) provides two types of policies.
Per-session policy
The per-session policy runs when a client initiates a session. (A per-session policy is also known as an access policy.) Depending on the actions you include in the access policy, it can authenticate the user and perform other actions that populate session variables with data for use throughout the session.
Per-request policy
After a session starts, a
per-request policy
runs each time the client makes an HTTP or HTTPS request. Because of this behavior, a per-request policy is particularly useful in the context of a Zero Trust scenario, where the client requires re-verification on every request. A per-request policy can include a subroutine, which starts a subsession. Multiple subsessions can exist at one time.
You cannot use subroutines in macros within per-request policies.
You can associate one access policy and one per-request policy with a virtual server.