Configure Session Tracking

You can configure session tracking reporting for the APM browser agent.

By default, the APM browser agent creates a session tracking cookies that tracks activity of a unique browser until the browser is restarted. This could deviate from what the application server uses. More specifically, it could track data before and after login and logout. The sessionId is not matching the sessionId that might be present in log files. There are a few approaches that could help to align the server sessionId with the browser reporting. When the goal is to only ensure session breaks are applied at login/logout pages, that can be done by instrumenting only this scenario.

Add Session Breaks

A call to document.ApmSdk.resetSession() in javascript code will ensure that the existing session is closed, and the new session is started. By doing this, it will isolate the interactions before this function was called from the interactions after it. Adding this, to either the login page or the landing page of logout (and timeout), can help to ensure that session breaks in the browser agent reporting match with the breaks the customer experiences.

Sample javascript code that triggers a session break:

<script language="text/javascript">
   if (document.ApmSdk) {       
       document.ApmSdk.resetSession();
   }
</script>

Align Browser SessionId with Server SessionId

An alternative approach to align the server session with the browser session is to align the Id that is used to identify a session. Some ways to do that are described below.

Raw sessionId exposure might weaken CSRF

The exposure of sessionId to javascript and APM could weaken CSRF (Cross-Site Request Forgery) protections.

The benefit of identical sessionId (in server logs and APM) should be weighed against the impact on security measures. A one way hash could make the uniqueness identical without jeopardizing the protections. This would require the same hash function in cases where the server logs and browser agent logs are linked towards each other.

Examples below use the raw sessionId value, not a particular hash function:

Getting application sessionId to APM browser agent

There are a few ways to get the sessionId from the application server to the browser agent.
  • Initialize apmrum.sid from application code

    This requires the capability in the application code to expose the active sessionId in the resulting html. The application code should produce html/javascript code that initializes the apmrum.sid property with the sessionId.

    The application code adds to the body of the html code like the following:

    <script language="text/javascript">
       window.apmrum = window.apmrum || {};
       window.apmrum.sid = '<?PHP echo getSessionId(); ?>';
    </script>
  • Expose sessionId cookie and instruct browser agent to use it

    In cases where the application sessionId is not protected by the HttpOnly flag, the browser agent can be configured to read and use the value from the sessionId cookie.

    Sample the below html using the application server cookie name, in this case 'JSessionId':

    <script language="text/javascript">
       window.apmrum = window.apmrum || {};
       window.apmrum.tracking_cookie = 'JSessionId';
    </script>