Section – Application

Session handling

Airlock Gateway supports four different modes for session handling:



Enforce session

Sessions are enforced. If no session is available a new session is created.

Use available session

Sessions are optional. Existing sessions are used. If no session is available no session is used.

Use available session (no refresh)

Same as "Use available session" but without refreshing session access timestamps. That is, requests use existing sessions if available but do not reset session idle times.


Session handling is disabled. No sessions are created and existing sessions are ignored. This mode improves performance for delivery of anonymous stateless content, such as image directories or static web repositories.

Send load balancing cookie

If enabled, load balancing information is sent to the client in a load balancing cookie. Uncheck this option if no load balancing is needed and no cookie should be generated for this purpose. See also load balancing.

Compress response traffic

Specifies whether Airlock Gateway should compress the output on-the-fly for the client browser (if supported and requested by the browser).

The compression is limited to content that is known to be compressible, e.g. HTML pages. See article HTTP compression.

To mitigate the BREACH attack, the decision of whether to compress a response is based on the HTTP referer header. The following HTTP responses will not be compressed:

  • First page accessed by the client (landing page)
  • Pages called from bookmarks or typed-in URLs
  • Refreshed pages
  • Pages requested by special HTTP clients not sending a referer header
  • Resources like images, JavaScript, CSS which are sourced from foreign domains.

Enable Control API

Specifies whether this service is allowed to use Control API via the control cookie mechanism. Normally, only the authentication application should be allowed to use the back-end control API of Airlock Gateway.

Send environment cookies

Specifies whether this service should receive the Airlock Gateway environment cookies that contain useful information about the connection to the client. Please refer to the environment cookie page for a detailed list of the Airlock Gateway environment cookies.

Encrypted cookies

Select Use regular expression and define a regular expression for cookies that should be cryptographically encrypted before being sent to the client. All cookies that have names which match the regular expression are encrypted and digitally signed with a secret key derived from a passphrase when sent to the client. They are decrypted and verified when sent to the back-end service. Because the pass-phrase-based key is used, such cookies are valid over several sessions and can also be persistent on the client's machine. Such cookies protect the application from manipulated cookie contents and hide the content from the user. 

Passthrough cookies

Select Use regular expression and define a regular expression for cookies that should be passed in plain format to the client. Passthrough cookies are not recommended because they are often a carrier for cookie poisoning based web application attacks that can result in buffer overflows etc.