Manual Chapter :
Session Variables
Applies To:
Show Versions
BIG-IP APM
- 11.5.1
About session variables
An access policy stores the values that actions return in session variables. A session variable contains a number or string that represents a specific piece of information. This information is organized in a hierarchical arrangement and is stored as the user's session data.
The Current Sessions report in the Access Policy Manager Reports area displays all session variables for a session. Session variables can be useful in access policies to achieve various results, including:
- Customizing access rules or defining your own access policy rules.
- Providing different outcomes for policies based on the values in the session variables.
- Determining which resources to assign to users (with the Resource Assign action).
About session variable names
The name of a session variable consists of multiple hierarchical nodes separated by periods (.).
How APM constructs session variable names
Session variables for Active Directory authentication and query
Access Policy Manager names session variables in the following manner:- session.ad.<username>.queryresult = query result (0 = failed, 1=passed)
- session.ad.<username>.authresult = authentication result (0 = failed, 1=passed)
- session.ad.<username>.attr.<attr_name> = the name of an attribute retrieved during the Active Directory query. Each retrieved attribute is converted to a separate session variable.
Session variables reference
This table includes session variables and related reference information.
Session variables for access policy action items
| Action Item | Session Variable | Type | Description |
|---|---|---|---|
| Denied Ending | session.policy.result | string | Access policy result: the access policy ended at Deny. The value is "access_denied". |
| Redirect Ending | session.policy.result | string | Access policy result: the access policy ended at Redirect. The value is "redirect". |
| session.policy.result.redirect.url | string | URL specified in the redirect, for example, "http://www.siterequest.com" | |
| Allowed Ending | session.policy.result | string | Access policy result: the access policy ended at Allow. The value is "allowed". |
| session.policy.result.webtop.network_access.autolaunch | string | Name of the resource that is automatically started for a network access webtop | |
| session.policy.result.webtop.type | string | Type of webtop resource: "network_access" or "web_application". | |
| Session management | session.ui.mode | enum | UI mode, as determined by HTTP headers. |
| session.ui.lang | string | Language in use in the session, for example "en" (English). | |
| session.ui.charset | string | Character set used in the session. | |
| session.client.type | enum | Client type as determined by HTTP headers: portalclient "Standalone" | |
| session.client.version | string | ||
| session.client.js | bool | ||
| session.client.activex | bool | ||
| session.client.plugin | bool | ||
| session.client.platform | string | Client platform as determined by HTTP headers:
|
|
| session.user.access_mode | string | Enables direct access to a Citrix resource from the webtop. Example: "local" | |
| Active Directory action | session.ad.$name.queryresult | bool | 0 or 1.
|
| session.ad.$name.authresult | bool | 0 or 1.
|
|
| session.ad.$name.attr.$attr_name | string | Users attributes retrieved during Active Directory query. Each attribute is converted to a separate session variable. | |
| session.ad.$name.attr.group.$attr_name | string | User's group attributes retrieved during Active Directory query. Each group attribute is converted to a separate session variable. | |
| Advanced Resource Assign | session.assigned.bwc.dynamic | string | Name of the assigned dynamic bandwidth control policy |
| session.assigned.bwc.static | string | Name of the assigned static bandwidth control policy | |
| Client certificate authentication | session.ssl.cert.x509extension | string | X509 extensions |
| session.ssl.cert.valid | string | Certificate result: OK or error string | |
| session.ssl.cert.exist | integer | 0 or 1.
|
|
| session.ssl.cert.version | string | Certificate version | |
| session.ssl.cert.subject | string | Certificate subject field | |
| session.ssl.cert.serial | string | Certificate serial number | |
| session.ssl.cert.end | string | Validity end date | |
| session.ssl.cert.start | string | Validity start date | |
| session.ssl.cert.issuer | string | Certificate issuer | |
| session.ssl.cert.whole | string | The whole certificate | |
| Decision box | session.decision_box.last.result | integer | 0 or 1.
|
| File check | session.windows_check_file.$name.item_0.exist | string | True - if all files exist on the client. |
| session.windows_check_file.$name.item_0.result | integer | Set when files on the client meet the configured attributes. | |
| session.windows_check_file.$name.item_0.md5 | string | MD5 value of a checked file. | |
| session.windows_check_file.$name.item_0.version | string | Version of a checked file. | |
| session.windows_check_file.$name.item_0.size | integer | File size, in bytes. | |
| session.windows_check_file.$name.item_0.modified | Date the file was modified in UTC form. | ||
| session.windows_check_file.$name.item_0.signer | File signer information. | ||
| LDAP action | session.ldap.$name.authresult | bool | 0 or 1.
|
| session.ldap.$name.attr.$attr_name | string | Users attributes retrieved during LDAP query. Each attribute is converted to a separate session variable. | |
| session.ldap.$name.queryresult | bool | 0 or 1.
|
|
| Logon Page (CAPTCHA challenge) | session.logon.captcha.tracking | unsigned integer | A bitmask used when CAPTCHA is enabled.
Note: Should not be used by external modules because it is intended for very
specific purposes.
|
| Machine Cert Auth | session.check_machinecert.last.result | integer | 0, 1, 2, or -2.
Note: The Machine Cert Auth action is not supported on Linux.
|
| OTP Generate | session.otp.assigned.val | string | Generated one-time password value to send to the end user. Example message: One-Time Passcode: %{session.otp.assigned.val} |
| session.otp.assigned.expire | string | Internally used timestamp; OTP expiration in seconds since this date and time: (00:00:00 UTC, January 1, 1970) | |
| session.otp.assigned.ttl | string | OTP time-to-live; configurable as OTP timeout in seconds. Example message: OTP expires after use or in %{session.otp.assigned.ttl} seconds | |
| OTP Verify | session.otp.verify.last.authresult | bool | 0 or 1.
|
| RADIUS action | session.radius.$name.authresult | bool | 0 or 1.
|
| session.radius.$name.attr.$attr_name | string | User attributes retrieved during RADIUS authentication. Each attribute is converted to a separate session variable. | |
| Resource allocation | session.assigned.resources | string | Space-delimited list of names of assigned resources. |
| session.assigned.webtop | string | Name of the assigned webtop. | |
| Windows Info | session.windows_info_os.$name.ie_version | string | Stores the Internet Explorer version |
| session.windows_info_os.$name.ie_updates | string | List of installed SP and KB fixes for Internet Explorer. For example: "¦SP2¦KB12345¦KB54321¦" | |
| session.windows_info_os.$name.platform | string | Platform.
|
|
| session.windows_info_os.$name.updates | string | List of installed SP and KB fixes for Windows. For example, "¦SP2¦KB12345¦KB54321¦" | |
| session.windows_info_os.$name.user | string | List of current Windows user names | |
| session.windows_info_os.$name.computer | string | List of computer names | |
| Windows Process | session.windows_check_process.$name.result | integer | 0, 1, or -1.
|
| Windows Registry | session.windows_check_registrys.$name.result | integer | 0, 1, or -1.
|
