Using header tokens for session tracking

In this configuration example, we use HTTP header tokens between the REST client and Airlock Gateway to track sessions. This is usual for non-browser clients or, in general, for HTTP clients not supporting cookies.

For browser-based clients, see Using gateway-generated cookies for session tracking.

  • How it works:
  • The REST client receives a token in an HTTP header for session tracking from Airlock Gateway, e.g., the header named X-Session-ID.
  • The REST client must return the header's value in a request header, e.g., again a header named X-Session-ID with every request.

A mixed setup with REST and browser-based clients usually requires a split setup with two VirtualHost configurations on the Airlock Gateway. One with cookie-based tracking and one with header tracking configuration.


Airlock Gateway may send a new header value to the HTTP client at any point in the conversation. It does so, for example, during and after authentication, role changes, etc. The REST client must always use the newest header value. This is done to mitigate certain types of attacks.

Airlock Gateway configuration for header tracking

Session tracking by header can be configured using Security Gate Expert Settings on the Virtual Host.

  1. Open the corresponding Virtual Host for editing. Go to tab:
    Expert Settings
  2. Switch the Security Gate settings ON and add the following line:
  3. Session.Tracking.HeaderToken.Enable                               "TRUE"
  4. We strongly recommend setting meaningful request and response header names, e.g., X-Session-ID. To do so, add the following Expert Settings configuration lines:
  5. Session.Tracking.HeaderToken.Response.Header.Name                 "X-Session-ID" 
    Session.Tracking.HeaderToken.Request.Header.Name                  "X-Session-ID"