Section – Session Tracking

Session Tracking

Airlock Gateway offers three different ways of session tracking.

  1. Select the tracking method depending on your client-side requirements:
  2. Session tracking with session cookie, which is suitable for most browser-based applications. See also the informative article Cookie handling and cookie types.
  3. Session tracking based on SSL session ID. For more information see below. In addition to the GUI-based configuration, the REST API allows to dynamically select cookie-based or SSL ID-based tracking mode.
  4. Session tracking via header session token. This is the recommended method for client applications without cookie stores, etc., and can be enabled in the Expert Settings.

Track session based on SSL session ID

Airlock Gateway supports SSL session ID based session tracking. If enabled, the HTTPS (SSL) sessions will not use a session cookie but rather the SSL session ID as the session identifier. For more information please read this Techzone Article.

Note that HTTP sessions (no SSL) always use a session cookie independent of this setting.

Session timeout (seconds)

Specifies the amount of idle time (time without being accessed) in seconds, after which an Airlock Gateway session is removed. This timeout can be set in seconds and should be smaller than all other session timeouts of your back-end applications.

The default resolution setting of the idle session timeout check is 5 seconds – this means the actual forced idle time can deviate by up to 5 seconds. This is a performance tradeoff that does not affect your Airlock Gateway usage.

Session lifetime (seconds)

Specifies the absolute lifetime of an Airlock Gateway session in seconds. After this time a session will be removed from the Gateway. Make sure the lifetime is long enough even for extended user sessions or risk losing their work.

Special considerations are recommended for sessions with a SAML IdP or OpenID Connect OP.


We recommend specifying a small initial idle timeout in the static configuration and then dynamically setting the idle timeout of user credentials after a successful authentication. This can be done by using the back-end Control API of Airlock Gateway or by deploying Airlock IAM.