Session control

The SESSION-command allows to modify the Airlock Gateway session:

;; SESSION
session-command           = current-session-command | foreign-session-command
current-session-command   = session-command-name "=" current-session-command-value
session-command-name      = "SESSION"
current-session-command-value = "TERMINATE" | "NEWID" | "NEW" | "CLEAR"

;; SESSION[sid:{foreign session id}]
session-command           = current-session-command | foreign-session-command
foreign-session-command   = session-command-name "[sid:" foreign-session-id "]" "=" foreign-session-command-value
session-command-name      = "SESSION"
foreign-session-id        = 1*ALPHANUM
foreign-session-command-value = "TERMINATE"
ALPHANUM                  = ALPHA | DIGIT
TERMINATE

The TERMINATE command terminates the current Airlock Gateway session. By using the extended notation SESSION[sid:{foreign session id}] any given session can be terminated. Please note that the TERMINATE command does not create a new session at the same time. Only in case the client is sending a subsequent request after the session termination, a new session may be created.

NEWID

The NEWID command causes the session cookie to get a new ID, thus invalidating any access using the old session ID, but preserving the internally used session. This prevents session fixation and other attacks based on the session ID. If HTTPS is used on the front-end, a new SSL session is initiated as well. Because Airlock Gateway already changes the session cookie each time when roles are set, an explicit NEWID call is only required if a user gets more privileges in a back-end application without obtaining new Airlock Gateway roles.

NEW

The NEW command terminates the current Airlock Gateway session and creates a new, empty session with a new ID. This causes that encrypted URLs (with session based encryption) or CSRF tokens are not valid anymore with the new session. The command also initiates a new SSL session if the current session is not tracked by SSL session ID.

CLEAR

The CLEAR command clears specific fields in the current session typically set by Control API commands. These fields are: cookie store, header store, audit token, roles, NTLM credentials, Kerberos users and session variables. In contrast to the command NEW, CLEAR does not reset fingerprinting information nor does it invalidate CSRF tokens and encrypted URLs.

Example:
The pseudo code examples below demonstrate session management using the control API:

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("SESSION=TERMINATE")

Results in:

Set-Cookie: AL_CONTROL=SESSION%3DTERMINATE

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("SESSION[sid:713f232b1a67e46248e41dc3a85d9289]=TERMINATE")

Results in:

Set-Cookie: AL_CONTROL=SESSION%5Bsid%3A713f232b1a67e46248e41dc3a85d9289%5D%3DTERMINATE

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("SESSION=NEWID")

Results in:

Set-Cookie: AL_CONTROL=SESSION%3DNEWID

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("SESSION=NEW")

Results in:

Set-Cookie: AL_CONTROL=SESSION%3DNEW

Pseudo code:

response.header="Set-Cookie: AL_CONTROL="+URL_Encode("SESSION=CLEAR")

Results in:

Set-Cookie: AL_CONTROL=SESSION%3DCLEAR