Submenu – Session Viewer

Session Viewer

The session viewer can be used to gather real-time information about user sessions that currently exist in Airlock Gateway.

Clicking on the Button_-_delete_new_mapping will immediately terminate the selected session.

Query input field

If the query field is left empty, all existing sessions are returned. To execute the query either press Return or click the Search button.

There are two possible modes to enter queries: "Free text queries" and "Query language".

Free text query

As long as the entered string does not contain '=' or '~', the query will be interpreted as free text. Every entered token will be searched for in all currently displayed columns. All sessions matching at least one token in one of those fields will be displayed.

Query language

For more specific queries, the internally used query language can be entered directly.

If the search value contains any of the following characters  = ~ ( ) " whitespace  then it must be surrounded by doublequotes. Doublequotes within doublequotes must additionally be escaped with backslash.

Example: audittoken~"my \"escaped\" string"

Complex queries can be formed by using parentheses and the "and"/"or" operators to chain several conditions.

Operators

Meaning

Case sensitivity

=

Equality: Satisfied if search value and field value are exactly equal

Sensitive

~

Like: Satisfied if search value is a substring of the field value

Insensitive

  • Possible search fields:
  • sid
  • audittoken
  • role
  • role.exists
  • mappings.accessed
  • backendgroup.host
  • ip.creation
  • Example queries:
  • sid ~ abc123
  • audittoken=admin
  • role = root
  • backendgroup.host = "group2->host3"
  • role.exists = true
  • mappings.accessed="my mapping" and ip.creation=127.0.0.1
  • ((ip.creation~"127." or audittoken=local) or role~admin) and role.exists=true

Displayed columns

Columns can be enabled or disabled in the results table.

This will influence the result set when using a free text query!

Only the currently displayed columns are searched by free text queries. For example: If a query token was previously found in the "audit token" column and the "audit token" column gets turned off, that session will disappear from the results set. Inversely, by enabling new columns the result set may grow.

Results table

Sessions that satisfy the used query will be displayed.

The results can be sorted according to different fields by clicking on one of the table headers. A second click will toggle the sorting direction. The default sorting column is "idle time" (ascending).

Clicking on a row will open a window that shows all details about a single session.

A maximum of 50 sessions will be displayed. A hint will appear at the bottom of the page if there are more than 50 sessions matching the query. To see sessions that are currently not displayed, use a different sorting order or refine the query.

If no results appear, there may be several reasons. The query may be too restrictive or there may be no sessions at all (for example on a test system). If there was an error, a red warning is displayed.

Detail view

The detail view of a session opens after a click on the session row in the results table. All available information about a session can be seen here.

  • SID: The identifier (ID)
  • Creation IP: The used IP address at the moment of session creation
  • Audit token: The audit token
  • Kerberos Users: Kerberos users that may be used by this session
  • Creation time: Timestamp of session creation
  • Configured max. lifetime: Maximum lifetime in seconds
  • Currently remaining lifetime: Remaining lifetime in seconds
  • Time of last access: Timestamp of last access
  • Configured max. idle time: Maximum time (seconds) a session can be idle before being terminated
  • Idle time: Time in seconds since the last access
  • Currently remaining idle time: Maximum idle time (seconds) that's left before being terminated
  • Roles: List of all roles that are set
  • Accessed mappings: List of all mappings this session has accessed (not including requests that were redirected to "Denied access URL" for authentication)
  • Back-end Group/Host: When a back-end group contains more than one host and has load balancing configured, then at creation every session is assigned to one host. This field shows that assignment (only for back-end groups that have a host assignment, i.e. those that the session has accessed before).
  • Cookie Store: All stored cookies
  • Header Store: All stored headers. "Authorization" headers are shown in decoded form. Passwords are shown as "<masked>".
  • NTLM Credentials: List of stored NTLM credentials. Passwords are shown as "<masked>".
  • Client Fingerprinting Incidents: List of all client fingerprinting incidents that have occurred on this session
  • Client Fingerprinting Thresholds: List of all client fingerprinting thresholds that have been reached, out of (Log / Notify / Block). The "Terminate" threshold will never appear because the affected sessions will be terminated immediately.