Environment cookies

If the option Send environment cookies to back-end is enabled in the mapping, Airlock Gateway adds the following Environment Cookies to each back-end request. The default cookie prefix can be configured. However, it is not recommended to change the cookie prefix due to potential incompatibilities and confusion.

The values of the environment cookies are percent-encoded (URL encoded). The back-end must decode the values.

Cookie Name
Example Value (decoded)
Description
AL_ENV_CONNECTION_ID
fPAA<...>2PCV
a unique ID for the front-end TCP connection
AL_ENV_HTTPS
on
indicates whether the request was sent encrypted
AL_ENV_MATCHING_IP_LISTS
MyIpList_16,TI:Spam Server
All IP Address Lists that have matched the client IP address, regardless of whether this was a whitelisting or blacklisting rule. The names of the matching lists are comma-separated and percent-encoded. Lists obtained through the Webroot threat intelligence service are prefixed with "TI:".
AL_ENV_REMOTE_ADDR
168.192.1.123
the IP address of the client
AL_ENV_REQUEST_ID
D79v<...>AABb
a unique request ID.
AL_ENV_ROLES
role1:600:28732,role2:300:532
the roles of the current session, with the remaining role idle timeout and the remaining role lifetime (in seconds). The value none (without remaining idle timeout/lifetime) is used if there are no roles.
AL_ENV_SESSION_ID
a83e5<...>f4db3
a unique session ID. The value none is used if there is no session ID.
AL_ENV_SESSION_TIMINGINFO
600:28651
the remaining session idle timeout and the remaining session lifetime (in seconds)
AL_ENV_SERVER_ADDR
10.1.0.56
the IP address of the virtual host that received the request
AL_ENV_SERVER_NAME
myappl.example.com
the virtual hostname that received the request
AL_ENV_SERVER_PORT
443
the port number that received the request
AL_ENV_SERVER_PROTOCOL
HTTP/1.1
the protocol name and version of the request, e.g. HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2.0
AL_ENV_SERVER_REQUEST
/applpath/show.do
the path of the request
AL_ENV_SERVER_REQUEST_QUERY
firstname=Markus&lastname=M%C3%BCller
the query string of the request.
This cookie is only sent in one-shot-requests triggered by a one-shot authentication flow
AL_ENV_SESSION_TERMINATION_REASON
IdleTimeout
or
ClientFingerprinting: TOTAL_PENALTY_POINTS=800
an explanatory string on the reason why a session has ended.
Possible values are "IdleTimeout","LifetimeExceeded ", "ThreadHandling", "ControlAPI", "ClientFingerprinting".
Additional arguments may be added to the value in the form of <key>=<value> pairs delimited by a colon (:). In case of "ClientFingerprinting" the total reached penalty points, leading to termination of the session, is appended as "TOTAL_PENALTY_POINTS=<INT>".
This cookie is only sent in logout propagation requests
AL_ENV_WAF_VERSION
7.2.0
Airlock Gateway version string in the format:
"<MAJOR>.<MINOR>.<MAINTENANCE>"
where MAJOR, MINOR and MAINTENANCE are sequences of digits.
Table 3: Various basic cookies
Cookie Name
Example Value (decoded)
Description
AL_ENV_GEOIP_CONTINENT
EU
the continent code of the request origin. The continent codes are listed in the description of the Submenu – Default Actions request action. This cookie is only sent if GeoIP information is available.
AL_ENV_GEOIP_COUNTRY
CH
the country code of the request origin. The country codes correspond to the Alpha-2 codes in the ISO 3166-1 standard. This cookie is only sent if GeoIP information is available.
AL_ENV_GEOIP_LATITUDE
47.3667
the approximate latitude of the request origin. This cookie is only sent if GeoIP information is available.
AL_ENV_GEOIP_LONGITUDE
8.55
the approximate longitude of the request origin. This cookie is only sent if GeoIP information is available.
Table 4: Geolocation cookies
Cookie Name
Example Value (decoded)
Description
AL_ENV_SSL_CIPHER
ECDHE-RSA-AES256-GCM-SHA384
the SSL/TLS cipher used for HTTPS
AL_ENV_SSL_PROTOCOL
TLSv1.2
the encryption protocol used for HTTPS, e.g. TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
AL_ENV_SSL_SESSION_ID
58ad1<...>4584b
the unique SSL/TLS session ID
Table 5: Values regarding encrypted front-end connections
Cookie Name
Example Value (decoded)
Description
AL_ENV_SSL_CLIENT_CERT
-----BEGIN CERTIFICATE-----<...>4B==
the client certificate in PEM format, containing newlines (\n)
AL_ENV_SSL_CLIENT_I_DN
CN=CA,OU=CertDepartment,O=TrustMe<...>
the client certificate issuer distinguished name (*)
AL_ENV_SSL_CLIENT_M_SERIAL
518
the serial number of the client certificate
AL_ENV_SSL_CLIENT_M_VERSION
1
the version number of the client certificate
AL_ENV_SSL_CLIENT_S_DN
CN=Bob,OU=Airlock,O=Ergon<...>
the client certificate subject distinguished name (*)
AL_ENV_SSL_CLIENT_V_START
Oct 16 11:48:41 2013 GMT
the client certificate validity start date
AL_ENV_SSL_CLIENT_V_END
Oct 29 05:20:25 2016 GMT
the client certificate validity end date
Table 6: Values regarding client certificates
Cookie Name
Example Value (decoded)
Description
AL_ENV_CFP_INCIDENTS
sess_ipChange,sess_userAgentChange
comma (,) separated list of triggered client fingerprinting incidents in the session/request applicable for the current mapping. Configure with expert settings
AL_ENV_CFP_TOTAL_PENALTY_POINTS
250
sum of client fingerprinting penalty points accumulated in the session/request for the current mapping. Configure with expert settings
AL_ENV_CFP_NOTIFICATION
FALSE
indicates whether the client fingerprinting has detected a potential session hijacking
Table 7: Values regarding client fingerprinting
Cookie Name
Example Value (decoded)
Description
AL_ENV_SV_<session variable name>
<session variable value>
the value of an exported session variable. Mind that session variable name is percent-encoded
e.g: AL_ENV_SV_MyVariable=MyValue. Configure with expert settings
Table 8: Values regarding session variables
Cookie Name
Example Value (decoded)
Description
AL_ENV_TECH_CLIENT_ID
08b3c345-a156-4d30-9d65-465ccdb363d6
The tech client ID received from the API policy service.
AL_ENV_API_POLICY_TECH_CLIENT_ID
08b3c345-a156-4d30-9d65-465ccdb363d6
The tech client ID received from the API policy service.
AL_ENV_API_POLICY_SUBSCRIPTION_ID
ee52d844-26c4-41db-89a3-8d0106b23e09
The subscription ID received from the API policy service.
AL_ENV_API_POLICY_LABEL
my_app_client_android
Label received from the API policy service.
AL_ENV_API_POLICY_DISPLAY_NAME
MyApp Client - Android
Display name received from the API policy service.
AL_ENV_API_POLICY_PLANS
write,read,info
Comma-separated list of plans available in the subscription received from the API policy service.
Table 9: Values regarding API policy features
(*) DN format change

The DN format used in the cookies AL_ENV_SSL_CLIENT_I_DN and AL_ENV_SSL_CLIENT_S_DN changed with Airlock Gateway 5.0. The new format supports non-ASCII characters and escapes special characters with backslashes. The legacy format can be enabled using Apache expert settings as follows:

SSLOptions +LegacyDNStringFormat

This option is applicable on all Apache expert setting contexts: globally, on virtual hosts, and on mappings. For more details on Apache SSLOptions, please consult the Apache Manual.

Expert settings

The list below shows the Security Gate - Expert Settings related to this topic. They can be adapted if their default setting does not fit customer needs.

EnvVarCookiePrefix "AL_ENV_"

EnvVarCookiePlainChars "!#$&*-./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ^_`abcdefghijklmnopqrstuvwxyz|~"

ClientFingerprinting.EnvVarCookieExport.Enable "TRUE"

SessionVariable.EnvVarCookieExport.Enable "TRUE"

SessionVariable.EnvVarCookieExport.Name.Pattern ".*"

Airlock support does not recommend changing the environment cookie prefix - this is usually a source of confusion.