In addition to the session settings in the configuration center, the control API can be used to dynamically change the mode how Airlock Gateway tracks sessions. The command SESSION_TRACKING_MODE controls whether the current session is tracked by a session cookie or the SSL session ID.
;; SESSION_TRACKING_MODE tracking-command = tracking-command-name "=" tracking-command-value tracking-command-name = "SESSION_TRACKING_MODE" tracking-command-value = "SSL" | "COOKIE"
By default Airlock Gateway uses a session cookie to track the user session. When configuring to use the SSL session ID to track a session, there is a risk of inadvertent session hijacking if two users access your website using the same proxy that makes them share SSL connections. The function to track user sessions based on the SSL session ID should only be used if the browser does not change the SSL session ID during a session and clients are not behind a proxy server.
Example:
The examples below show the HTTP header "Set-Cookie" with the control API cookie AL_CONTROL. The pseudo code helps to understand how to build the control API cookie correctly.
Pseudo code:
response.header="Set-Cookie: AL_CONTROL="+URL_Encode("SESSION_TRACKING_MODE=SSL")Results in:
Set-Cookie: AL_CONTROL=SESSION_TRACKING_MODE%3DSSLPseudo code:
response.header="Set-Cookie: AL_CONTROL="+URL_Encode("SESSION_TRACKING_MODE=COOKIE")Results in:
Set-Cookie: AL_CONTROL=SESSION_TRACKING_MODE%3DCOOKIE