Section – Application
Session handling
Airlock Gateway supports four different modes for session handling:
Mode | Description |
|---|---|
Enforce session | Sessions are enforced. If no session is available a new session is created. |
Use available session | Sessions are optional. Existing sessions are used. If no session is available no session is used. |
Use available session (no refresh) | Same as “Use available session” but without refreshing session access timestamps. That is, requests use existing sessions if available but do not reset session idle times. |
Sessionless | Session handling is disabled. No sessions are created and existing sessions are ignored. This mode improves performance for delivery of anonymous stateless content, such as image directories or static web repositories. |
Send load balancing cookie
If enabled, load balancing information is sent to the client in a load balancing cookie. Uncheck this option if no load balancing is needed and no cookie should be generated for this purpose. See also load balancing.
Compress response traffic
Specifies whether Airlock Gateway should compress the output on-the-fly for the client browser (if supported and requested by the browser).
The compression is limited to content that is known to be compressible, e.g. HTML pages. See article HTTP compression.
To mitigate the BREACH attack, the decision of whether to compress a response is based on the HTTP referer header. The following HTTP responses will not be compressed:
- First page accessed by the client (landing page)
- Pages called from bookmarks or typed-in URLs
- Refreshed pages
- Pages requested by special HTTP clients not sending a referer header
- Resources like images, JavaScript, CSS which are sourced from foreign domains.
Enable Control API
Specifies whether this service is allowed to use Control API via the control cookie mechanism. Normally, only the authentication application should be allowed to use the back-end control API of Airlock Gateway.
Send environment cookies
Specifies whether this service should receive the Airlock Gateway environment cookies that contain useful information about the connection to the client. Please refer to the environment cookie page for a detailed list of the Airlock Gateway environment cookies.
Encrypted cookies
Select Use regular expression and define a regular expression for cookies that should be cryptographically encrypted before being sent to the client. All cookies that have names which match the regular expression are encrypted and digitally signed with a secret key derived from a passphrase when sent to the client. They are decrypted and verified when sent to the back-end service. Because the pass-phrase-based key is used, such cookies are valid over several sessions and can also be persistent on the client's machine. Such cookies protect the application from manipulated cookie contents and hide the content from the user.
Passthrough cookies
Select Use regular expression and define a regular expression for cookies that should be passed in plain format to the client. Passthrough cookies are not recommended because they are often a carrier for cookie poisoning based web application attacks that can result in buffer overflows etc.