# APM session-variable reference

> The Session Variables chapter as a pattern-aware lookup: paste session.ad.last.attr.memberOf and it resolves against the chapter's own templates, paste an mcget expression and every reference inside is explained with the secure audit riding along, the classic empty-value trap named exactly: a bare mcget on session.logon.last.password reads back empty, because secure variables require -secure.

- Tool: https://ronutz.com/en/tools/f5-apm-session-variable-reference
- Family: Identity & tokens

---

# APM session-variable reference

Everything a BIG-IP Zero Trust Access (formerly BIG-IP APM - Access Policy Manager) access policy learns, it stores in session variables, hierarchical names the Visual Policy Editor guide's own anatomy figure spells out: the string session, a type, the agent name or the string last, agent-specific pieces, a node name of attr or result, an attribute name. The Session Variables chapter is the canonical table of those names, and this tool vendors it, a substantial curated core spanning policy results, the session-management and client set, the AD, LDAP, and RADIUS families, the complete session.ssl.cert family, the endpoint checks, OTP, and resource assignment, extended with the logon and SSO plumbing rows the SSO Configuration Guide defines, session.logon.last.* and session.sso.token.last.*, the pair every SSO method reads.

The lookup is pattern-aware because the chapter writes patterns. Rows like session.ad.$name.attr.$attr_name are templates, each retrieved attribute converted to a separate session variable, so pasting session.ad.last.attr.memberOf resolves to its row with the bindings shown, $name = last, $attr_name = memberOf, along with which action populates it, an AD Query in that case. Family lookups and a full catalogue mode round out the reference side.

Paste an expression instead and every reference inside it is extracted and explained, across the three syntaxes the platform itself uses: %{session.x} inline expansion, which the chapter's own OTP example message demonstrates; mcget inside expr branch rules, whose canonical form the per-request policy reference ships as expr { [mcget {session.ad.last.attr.primaryGroupID}] == 100 }; and access::session data get and set. The secure audit rides along on all three, grounded verbatim in F5's own lab material: a secure variable's value is stored encrypted in the session db, is not displayed in the session report, is not logged by the logging agent, and requires the -secure flag for both mcget and access::session data get/set. The one-click Example is the classic trap this contract creates, a bare mcget on session.logon.last.password, and the tool names exactly what comes back: an empty value, silently, not an error.

The honest edges are stated on the cards. This is a snapshot of the 13.1 chapter, the last generation shipped as manual chapters, with names and families stable across versions and per-version verification as the standing advice; variables outside the snapshot are reported as such, with the two debug surfaces named, the Current Sessions report, which the lab notes shows variables for active sessions only, hence its message-box pause trick, and the sessiondump command with its sid and allkeys views.

Everything runs locally; nothing you paste leaves the page.

## Standards and references

- [BIG-IP APM Visual Policy Editor 13.1 - Session Variables chapter (the vendored table: policy results, session management and client variables, AD/LDAP/RADIUS families with the each-attribute-becomes-a-variable rule, the full session.ssl.cert family, endpoint checks including the always-zero hd.state quirk, OTP with the official percent-expansion example, resource assignment; the naming anatomy figure; the sessiondump command)](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-13-1-0/5.html) - the vendored core of the variable table
- [F5 Access Solutions lab, VPE and Session Variables module (the secure contract verbatim: encrypted in the session db, hidden from the session report and the logging agent, -secure required for both mcget and access::session data get/set; the session.custom auto-container behavior; the active-sessions-only report note and the message-box pause trick; the mcget session.user.clientip and session.logon.last.upn examples)](https://f5-agility-labs-iam.readthedocs.io/en/latest/class8/module4/module4.html) - the secure-flag audit and the debug-surface observations
- [BIG-IP APM Visual Policy Editor 12.1 - Per-Request Policy Reference (the official branch-rule expressions: expr { [mcget {session.ad.last.attr.primaryGroupID}] == 100 } and the memberOf shape; populated-by actions per family: AD Query, LDAP Query, RADIUS Auth/Acct, Local Database with session.localdb.groups)](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-12-1-0/5.html) - the expression grammar and the populated-by attributions
- [BIG-IP APM Single Sign-On Configuration Guide 17.1 (the plumbing rows: NTLM Domain defaulting to session.logon.last.domain, the Form Based password source defaulting to session.sso.token.last.password, SSO Credential Mapping feeding session.sso.token.last.* from session.logon.last.*)](https://techdocs.f5.com/en-us/bigip-17-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration/single-sign-on-methods.html) - the logon and sso family rows

## Related reading

- [Session Variables: Where APM Keeps Everything It Learned](https://ronutz.com/en/learn/bigip-apm-session-variables.md): Every access-policy action writes its results into session.* variables, named by an anatomy the manual draws and read by three official syntaxes. The layer has one contract worth memorizing: secure variables are encrypted, hidden from reports and logs, and readable only with -secure, which makes a bare mcget on a password the classic silent empty read.
