Configure Session Tracking
You can configure session tracking reporting for the APM browser agent.
By default, the APM browser agent creates a session tracking cookies that tracks activity
of a unique browser until the browser is restarted. This could deviate from what the
application server uses. More specifically, it could track data before and after login
and logout. The sessionId
is not matching the
sessionId
that might be present in log files. There are a few
approaches that could help to align the server sessionId
with the
browser reporting. When the goal is to only ensure session breaks are applied at
login/logout pages, that can be done by instrumenting only this scenario.
Add Session Breaks
A call to document.ApmSdk.resetSession()
in javascript code will
ensure that the existing session is closed, and the new session is started. By doing
this, it will isolate the interactions before this function was called from the
interactions after it. Adding this, to either the login page or the landing page of
logout (and timeout), can help to ensure that session breaks in the browser agent
reporting match with the breaks the customer experiences.
Sample javascript code that triggers a session break:
<script language="text/javascript">
if (document.ApmSdk) {
document.ApmSdk.resetSession();
}
</script>
Align Browser SessionId with Server SessionId
An alternative approach to align the server session with the browser
session is to align the Id
that is used to identify a session. Some
ways to do that are described below.
Raw sessionId exposure might weaken CSRF
The exposure of sessionId
to javascript and APM could weaken CSRF
(Cross-Site Request Forgery) protections.
The benefit of identical sessionId
(in server logs and
APM) should be weighed against the impact on security measures. A one way hash could
make the uniqueness identical without jeopardizing the protections. This would
require the same hash function in cases where the server logs and browser agent logs
are linked towards each other.
Examples below use the raw sessionId
value, not a particular hash
function:
Getting application sessionId to APM browser agent
sessionId
from the application
server to the browser agent.
-
Initialize apmrum.sid from application code
This requires the capability in the application code to expose the active
sessionId
in the resulting html. The application code should produce html/javascript code that initializes theapmrum.sid
property with thesessionId
.The application code adds to the body of the html code like the following:
<script language="text/javascript"> window.apmrum = window.apmrum || {}; window.apmrum.sid = '<?PHP echo getSessionId(); ?>'; </script>
-
Expose
sessionId
cookie and instruct browser agent to use itIn cases where the application
sessionId
is not protected by theHttpOnly
flag, the browser agent can be configured to read and use the value from thesessionId
cookie.Sample the below html using the application server cookie name, in this case
'JSessionId'
:<script language="text/javascript"> window.apmrum = window.apmrum || {}; window.apmrum.tracking_cookie = 'JSessionId'; </script>