Configure Session Replay

You can configure monitoring-consumption and data-privacy settings for Session Replay. The following sections describe all possible configuration options:

  • Cost and traffic control to reduce usage while recording user sessions
  • Opt-in mode to decide which parts of a user session can be recorded and enable end users to decide if their sessions may be recorded
  • URL exclusion to exclude pages and views from recordings
  • Masking to prevent the recording and/or the display of private user information

Dynatrace has introduced several Session Replay configuration settings that you should use to protect your customers’ personal information. Before enabling Session Replay and proceeding with the privacy configuration settings explained here, ensure that your organization has taken all other necessary steps to protect your customers' personal data.

A user's ability to replay recorded user sessions, with or without playback masking settings, is permission controlled. Permissions are available at the environment level as well as the management-zone level. Read more in Manage user groups and permissions.

Cost and traffic control

By default, all RUM-analyzed user sessions contain Session Replay data. By modifying the percentage of recorded user sessions, you can control the volume of data generated by Session Replay.

To determine the actual number of user sessions that will be recorded for Session Replay, take into account the overall percentage of analyzed user sessions defined for the whole application.

For example, if the overall percentage of user sessions to be analyzed under Real User Monitoring is set to 50% and the percentage for Session Replay is set to 20%, only 10% of all the user sessions will be recorded for Session Replay (50% x 20% = 10%).

To limit the number of sessions recorded by Session Replay

  1. In the Dynatrace menu, go to Web.
  2. Select the application that you want to configure.
  3. Select Browse () > Edit.
  4. Select Session Replay and behavior > Session Replay.
  5. Turn on Enable Session Replay.
  6. Enter a percentage value less than 100 in the Analyze % of user sessions field. cost and traffic control
  7. Select Save.

Opt-in mode

Session Replay opt-in mode gives you the freedom to decide which parts of a user session must be recorded and when recording is permitted to begin. For example, you may choose to record user sessions:

  • As soon as any user logs in.
  • Only for select customers so that you can offer them premium support.
  • Only for certain pages of the recorded application.

This mechanism enables you to implement end-user permission for session recording.

When you enable Session Replay opt-in mode for your web application, recording of the active user session begins only once you invoke the enableSessionReplay() method on the dtrum global object. The dtrum global object is available following the auto-injection of the RUM JavaScript.

This command starts session recording. Session Replay remains active and recording begins automatically on all subsequent pages visited during the same session or until dtrum.disableSessionReplay() is called.

The dtrum.enableSessionReplay() method includes the ignoreCostControl parameter, which can be used to record certain user sessions by disregarding the value in Cost and traffic control.

Note

If Real User Monitoring opt-in mode is enabled, Real User Monitoring must be enabled before you can enable Session Replay:
dtrum.enable();
dtrum.enableSessionReplay();

Example

Consider the following scenario: As an application owner, you want to record all user sessions that include Page 2 through Page 5 of your application. Session activity involving Page 1 or Page 6 of your application are to be excluded from recording. The following diagram illustrates where the dtrum.enableSessionReplay() and dtrum.disableSessionReplay() methods are required in such a sequence.

session recording illustration

In such cases, you can display a consent banner to enable session recording when the user lands on Page 2 (see callout at the bottom of the following image). When the user selects the Accept button to allow session recording, the application responds by invoking the dtrum.enableSessionReplay() method and recording the session.

banner example

You can use a cookie in your application to record user content history within the browser. The content of this cookie is checked during each session to determine if the consent banner must be displayed. For example, if the cookie that stores the consent is named sessionReplayConsent, the application flow would be something like this:

  1. The application checks the value of the sessionReplayConsent cookie.
  2. If the value is true, the dtrum.enableSessionReplay() call is invoked.
  3. If the value is false, the consent banner is displayed.
  4. If the user provides their consent, the dtrum.enableSessionReplay() call is invoked.
  5. User consent is written to the sessionReplayConsent cookie.

With this cookie, Session Replay continues to remain active until Page 5 of the application.

Once the user leaves Page 5, the dtrum.disableSessionReplay() method can be used to stop recording the session. The cookie that has been used to store the consent must then be removed.

JavaScript methods used for enabling and disabling Session Replay can be used without displaying a banner to obtain consent. For example, if you wish to record a session each time any user logs in, you can use the dtrum.enableSessionReplay() method to start recording and the dtrum.disableSessionReplay() method to stop recording following successful logout. This gives you complete control over the start and stop of Session Replay.

Enable Session Replay opt-in mode

Session Replay opt-in mode is disabled by default.

To enable the opt-in mode

  1. In the Dynatrace menu, go to Web.
  2. Select the application that you want to configure.
  3. Select Browse () > Edit.
  4. Select Session Replay and behavior > Session Replay.
  5. Turn on Enable Session Replay.
  6. Scroll down to the Privacy settings section and turn on Enable the opt-in mode for Session Replay. opt-in mode
  7. Select Save.

With these configuration settings, Session Replay is inactive in your end users' browsers, and sessions will not be recorded until the dtrum.enableSessionReplay() method is called from the application.

If you choose not to Enable the opt-in mode for Session Replay, all user sessions will be recorded from the beginning until dtrum.disableSessionReplay() is called from the application.

URL exclusion

URL exclusion is applicable to pages and views. If you want to exclude a page from Session Replay recording, define the regular expression that will be used to match against the specific page URL. You can configure rules for individual webpages, entire websites, and single-page applications.

To exclude pages from recording

  1. Define a regular expression that matches the page URL.
  2. Add the expression to the URL exclusion rule.

URL exclusion

Masking

Session Replay records every user interaction. Therefore, protecting confidential user data by masking is of utmost importance. Masking settings give you options to protect confidential user data when recording as well playing back sessions. You can specify separate masking rules for recording sessions and, additionally, for playing back captured sessions, enabling you to apply layers of masking controlled by user permissions.

Content masking overview

Session Replay implements masking functionality that ensures that private user information is either not captured at the time of recording and/or masked at the time of session playback.

The masking option masks only alphanumeric characters; format characters such as periods, commas, and colons are not masked. Therefore, when user sessions are played back, you can still validate the format of the content without viewing the actual information.

As an example, consider an email address field on a typical web form. The user enters their email address, as shown below:

email field with content

Session Replay masks this data and displays asterisks in place of the alphanumeric characters:

email field with masked content

The masked data, displayed as asterisks (*****) in the replayed session, either never leaves the client browser (masked at recording) or is captured but masked during playback. Note that playing back captured sessions is permission controlled.

Session Replay provides two options for determining what content should be masked:

  • The data-dtrum-mask predefined attribute: This option requires a change in the application code and is secure by design. It allows you to consider the elements that can contain confidential information at the design and implementation stages. The recorder automatically detects and masks the content (text and input values) and interactions (mouse movements and scrolls) in the node that contains the attribute as well as its descendants.

    Important

    The application code must be modified to incorporate the data-dtrum-mask attribute.

    data-drum-mask

  • The Session Replay configuration page: This option allows a more customized approach. You can change the configuration to suit your session-recording requirements. Also, there's no need to change application code if you go with this option.

    Masking options in the Session Replay configuration page

Session Replay also provides masking functionalities that can be used to hide interactions with specific elements that might inadvertently reveal confidential end-user information (see Content masking options below in the Session Replay configuration page). For example, think of a list that provides multiple options for responding to a form question about the user's religion or gender. Even with the text masked, the end user's response could be easily deduced by seeing the option that they selected.

Prerequisites for enhanced masking

  • Automatically injected or manually inserted RUM JavaScript version 1.193+—for more information, see RUM JavaScript injection.
  • Dynatrace version 1.206+
RUM JavaScript version

The new masking configuration is only supported by OneAgent instances with RUM JavaScript version 1.193+. If versions of the RUM JavaScript 1.192 and earlier coexist with versions 1.193+, the new masking settings will be applied only to sessions that are monitored with RUM JavaScript versions 1.193+. All other sessions will continue to use the older version of content masking. For a consistent experience, we recommend that you use RUM JavaScript version 1.193+.

Enable enhanced masking

  • If your RUM application was created after version 1.206 or upgraded to version 1.206, you don't need to do anything to enable the new masking settings. Recording and playback masking options are automatically available, with the most restrictive recording masking setting enabled by default.

  • If your RUM application was created prior to version 1.206, you might need to check your RUM JavaScript version and enable masking settings at the application level.

    1. In the Dynatrace menu, go to Web.

    2. Select the application that you want to configure.

    3. Select Browse () > Edit.

    4. Select Session Replay and behavior > Session Replay.

    5. Turn on Enable Session Replay.

    6. In the Privacy settings section, select Learn more to expand the box, and select Check JavaScript tag version to automatically validate the prerequisites.

      Enable masking

    7. Once Dynatrace detects that RUM JavaScript version 1.193+ is injected in your application, select Switch to new masking settings to enable the new masking settings. Note that you will not be able to return to the earlier settings once you switch to the new settings.

      Switch to new masking settings

    Important

To configure enhanced masking

  1. In the Content masking preferences section, select a predefined masking option. (If you select Allow list or Block list, add the desired masking rules.)
  2. Select Save.

Content masking options in the Session Replay configuration page

Session Replay predefined masking options are available for both:

  • Masking data at the time of recording (Recording masking settings)—Masked user data never leaves the client browser and is not captured. Note: When you set the Recording masking settings to a more restrictive level, the same settings are also applied to Playback masking settings, which affects all past recorded sessions as well.
  • Masking at the time of playback (Playback masking settings)—Data that's captured during recording can still be masked and restricted from being viewed at the time of playback.

You can define masking rules for session recording, playback, or both.

Important

Playback masking rules are meant to provide an additional layer of masking over recording masking rules. Playback masking settings cannot be less restrictive than recording masking settings.

You can use user permissions to decide whether to allow session playback with or without playback masking rules in effect.

The following predefined masking options can be used to restrict capturing and/or playing back personal and confidential end-user data:

  • Mask all masks all text, images, and user input. This is the default option. This option is recommended for those who want to start testing Session Replay and ensuring that confidential data is never collected while also being able to see how users interact with their application. This masking option is also great for when you want to use Session Replay solely for troubleshooting applications, where the order in which the user interacts with the different controls is of importance.

    Note that Mask all does not hide user interactions with elements.

  • Mask user input masks all form inputs, including option items in list boxes and lists. This is the recommended approach when confidential information comes only from user input.

    Note that Mask user input does not hide user interactions with elements.

  • Allow list masks everything in the Mask all option except those elements (defined by CSS Selector) that match the defined allow-list rules. This ensures that even with subsequent code changes, new elements that display confidential information will not be recorded by the Session Replay recorder. This is the recommended approach for most applications, and it allows you to collect only the required information.

    Note that the Allow list option does not hide user interactions with elements.

    Session Replay Allow list

  • Block list masks only the elements that are defined in the list, and nothing else. When you select this option, a list with all the rules applied to the Mask all option is presented to you. You can use this list to deselect those elements and attributes you want to capture. You can also create your own additional block list rules.

    With the Block list option, you can decide if you want to hide user interactions with masked elements.

    Session Replay Blocklist

Frequently asked questions