Manual Chapter : Session Variables

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.1
Manual Chapter

About session variables

An access policy stores the values that actions return in session variables. A session variable contains a number or string that represents a specific piece of information. This information is organized in a hierarchical arrangement and is stored as the user's session data.

The Current Sessions report in the Access Policy Manager Reports area displays all session variables for a session. Session variables can be useful in access policies to achieve various results, including:

  • Customizing access rules or defining your own access policy rules.
  • Providing different outcomes for policies based on the values in the session variables.
  • Determining which resources to assign to users (with the Resource Assign action).

About session variable names

The name of a session variable consists of multiple hierarchical nodes separated by periods (.).

It includes the string session, a type, the agent name or the string last, intermediate agent-specific info, node name (attr or result), attribute name How APM constructs session variable names

Session variables for Active Directory authentication and query

Access Policy Manager names session variables in the following manner:
  • session.ad.<username>.queryresult = query result (0 = failed, 1=passed)
  • session.ad.<username>.authresult = authentication result (0 = failed, 1=passed)
  • session.ad.<username>.attr.<attr_name> = the name of an attribute retrieved during the Active Directory query. Each retrieved attribute is converted to a separate session variable.
Note that attributes assigned to a user on the AAA server are specific to that server, and not to Access Policy Manager.

Session variables reference

This table includes session variables and related reference information.

Session variables for access policy action items

Action Item Session Variable Type Description
Denied Ending session.policy.result string Access policy result: the access policy ended at Deny. The value is "access_denied".
Redirect Ending session.policy.result string Access policy result: the access policy ended at Redirect. The value is "redirect".
session.policy.result.redirect.url string URL specified in the redirect, for example, "http://www.siterequest.com"
Allowed Ending session.policy.result string Access policy result: the access policy ended at Allow. The value is "allowed".
session.policy.result.webtop.network_access.autolaunch string Name of the resource that is automatically started for a network access webtop
session.policy.result.webtop.type string Type of webtop resource: "network_access" or "web_application".
Session management session.ui.mode enum UI mode, as determined by HTTP headers.
session.ui.lang string Language in use in the session, for example "en" (English).
session.ui.charset string Character set used in the session.
session.client.type enum Client type as determined by HTTP headers: portalclient "Standalone"
  session.client.version string
session.client.js bool
session.client.activex bool
session.client.plugin bool
session.client.platform string Client platform as determined by HTTP headers:
  • "WinNT""
  • "Win2k""
  • "WinXP""
  • "WinVI""
  • "Linux""
  • " MacOS""
  • "iOS""
  • "Android""
session.user.access_mode string Enables direct access to a Citrix resource from the webtop. Example: "local"
Active Directory action session.ad.$name.queryresult bool 0 or 1.
  • 0 - Active Directory query failed
  • 1 - Active Directory query passed
session.ad.$name.authresult bool 0 or 1.
  • 0 - Active Directory authentication failed
  • 1 - Active Directory authentication passed
session.ad.$name.attr.$attr_name string Users attributes retrieved during Active Directory query. Each attribute is converted to a separate session variable.
session.ad.$name.attr.group.$attr_name string User's group attributes retrieved during Active Directory query. Each group attribute is converted to a separate session variable.
Advanced Resource Assign session.assigned.bwc.dynamic string Name of the assigned dynamic bandwidth control policy
session.assigned.bwc.static string Name of the assigned static bandwidth control policy
Client certificate authentication session.ssl.cert.x509extension string X509 extensions
session.ssl.cert.valid string Certificate result: OK or error string
session.ssl.cert.exist integer 0 or 1.
  • 0 - Certificate does not exist
  • 1 - Certificate exists
session.ssl.cert.version string Certificate version
session.ssl.cert.subject string Certificate subject field
session.ssl.cert.serial string Certificate serial number
session.ssl.cert.end string Validity end date
session.ssl.cert.start string Validity start date
session.ssl.cert.issuer string Certificate issuer
session.ssl.cert.whole string The whole certificate
Decision box session.decision_box.last.result integer 0 or 1.
  • 0 - User chooses option 2 on the decision page, which corresponds to the fallback rule branch in the action.
  • 1 -User chooses option 1 on the decision page
File check session.windows_check_file.$name.item_0.exist string True - if all files exist on the client.
  session.windows_check_file.$name.item_0.result integer Set when files on the client meet the configured attributes.
session.windows_check_file.$name.item_0.md5 string MD5 value of a checked file.
session.windows_check_file.$name.item_0.version string Version of a checked file.
session.windows_check_file.$name.item_0.size integer File size, in bytes.
session.windows_check_file.$name.item_0.modified Date the file was modified in UTC form.
session.windows_check_file.$name.item_0.signer File signer information.
LDAP action session.ldap.$name.authresult bool 0 or 1.
  • 0 - LDAP authentication failed
  • 1 - LDAP authentication passed
session.ldap.$name.attr.$attr_name string Users attributes retrieved during LDAP query. Each attribute is converted to a separate session variable.
session.ldap.$name.queryresult bool 0 or 1.
  • 0 - LDAP query failed
  • 1 - LDAP query passed
Logon Page (CAPTCHA challenge) session.logon.captcha.tracking unsigned integer A bitmask used when CAPTCHA is enabled.
  • Bit in 0 position - Track successful and unsuccessful logon attempts by IP address
  • Bit in 1 position - - Track successful and unsuccessful logon attempts by user name
Note: Should not be used by external modules because it is intended for very specific purposes.
Machine Cert Auth session.check_machinecert.last.result integer 0, 1, 2, or -2.
  • 0 - Neither certificate nor private key found.
  • 1 - Both certificate and private key found.
  • 2 - Certificate found, but private key not found.
  • -2 - Various errors, such as: Nothing received from client. Data received is not in correct format. Incorrect configuration. (For example, CA profile is not configured). Linux client is trying to access the agent.
Note: The Machine Cert Auth action is not supported on Linux.
OTP Generate session.otp.assigned.val string Generated one-time password value to send to the end user. Example message: One-Time Passcode: %{session.otp.assigned.val}
session.otp.assigned.expire string Internally used timestamp; OTP expiration in seconds since this date and time: (00:00:00 UTC, January 1, 1970)
session.otp.assigned.ttl string OTP time-to-live; configurable as OTP timeout in seconds. Example message: OTP expires after use or in %{session.otp.assigned.ttl} seconds
OTP Verify session.otp.verify.last.authresult bool 0 or 1.
  • 0 - OTP authentication failed
  • 1 - OTP authentication passed
RADIUS action session.radius.$name.authresult bool 0 or 1.
  • 0 - RADIUS authentication failed
  • 1 - RADIUS authentication passed
  session.radius.$name.attr.$attr_name string User attributes retrieved during RADIUS authentication. Each attribute is converted to a separate session variable.
Resource allocation session.assigned.resources string Space-delimited list of names of assigned resources.
session.assigned.webtop string Name of the assigned webtop.
Windows Info session.windows_info_os.$name.ie_version string Stores the Internet Explorer version
session.windows_info_os.$name.ie_updates string List of installed SP and KB fixes for Internet Explorer. For example: "¦SP2¦KB12345¦KB54321¦"
session.windows_info_os.$name.platform string Platform.
  • "Win7" - Windows 7
  • "Win8" - Windows 8
  • "WinVI" - Windows
  • "WinXP" - Windows XP
  • "Win2003" - Windows 2003 Server
  • "WinLH" - Windows 2008
  session.windows_info_os.$name.updates string List of installed SP and KB fixes for Windows. For example, "¦SP2¦KB12345¦KB54321¦"
session.windows_info_os.$name.user string List of current Windows user names
session.windows_info_os.$name.computer string List of computer names
Windows Process session.windows_check_process.$name.result integer 0, 1, or -1.
  • 0 - Failure
  • 1 - Success
  • -1 - Invalid check expression
Windows Registry session.windows_check_registrys.$name.result integer 0, 1, or -1.
  • 0 - Failure
  • 1 - Success
  • -1 - Invalid check expression