diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 166510da3..8ae556f93 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -234,6 +234,7 @@ class Config(dict):
         'SESSION_COOKIE_NAME_PREFIX': None,
         'SESSION_COOKIE_AGE': 3600 * 24,
         'SESSION_EXPIRE_AT_BROWSER_CLOSE': False,
+        'VIEW_ASSET_ONLINE_SESSION_INFO': True,
         'LOGIN_URL': reverse_lazy('authentication:login'),
 
         'CONNECTION_TOKEN_ONETIME_EXPIRATION': 5 * 60,  # 默认(new)
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index 2a915ae4e..3674e27a4 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -236,6 +236,7 @@ SESSION_COOKIE_NAME = '{}sessionid'.format(SESSION_COOKIE_NAME_PREFIX)
 SESSION_COOKIE_AGE = CONFIG.SESSION_COOKIE_AGE
 SESSION_SAVE_EVERY_REQUEST = CONFIG.SESSION_SAVE_EVERY_REQUEST
 SESSION_EXPIRE_AT_BROWSER_CLOSE = CONFIG.SESSION_EXPIRE_AT_BROWSER_CLOSE
+VIEW_ASSET_ONLINE_SESSION_INFO = CONFIG.VIEW_ASSET_ONLINE_SESSION_INFO
 SESSION_ENGINE = "common.sessions.{}".format(CONFIG.SESSION_ENGINE)
 
 MESSAGE_STORAGE = 'django.contrib.messages.storage.cookie.CookieStorage'
diff --git a/apps/settings/serializers/public.py b/apps/settings/serializers/public.py
index 4f94f99bc..5068dcef5 100644
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@@ -30,6 +30,7 @@ class PrivateSettingSerializer(PublicSettingSerializer):
     SECURITY_LUNA_REMEMBER_AUTH = serializers.BooleanField()
     SECURITY_WATERMARK_ENABLED = serializers.BooleanField()
     SESSION_EXPIRE_AT_BROWSER_CLOSE = serializers.BooleanField()
+    VIEW_ASSET_ONLINE_SESSION_INFO = serializers.BooleanField()
     PASSWORD_RULE = serializers.DictField()
     SECURITY_SESSION_SHARE = serializers.BooleanField()
     XPACK_LICENSE_IS_VALID = serializers.BooleanField()
diff --git a/apps/terminal/api/session/session.py b/apps/terminal/api/session/session.py
index 400735f53..e2a5290a3 100644
--- a/apps/terminal/api/session/session.py
+++ b/apps/terminal/api/session/session.py
@@ -4,6 +4,7 @@ import os
 import tarfile
 
 from django.core.files.storage import default_storage
+from django.conf import settings
 from django.db.models import F
 from django.http import FileResponse
 from django.shortcuts import get_object_or_404, reverse
@@ -156,6 +157,8 @@ class SessionViewSet(RecordViewLogMixin, OrgBulkModelViewSet):
 
     @action(methods=[GET], detail=False, permission_classes=[IsAuthenticated], url_path='online-info', )
     def online_info(self, request, *args, **kwargs):
+        if not settings.VIEW_ASSET_ONLINE_SESSION_INFO:
+            return self.permission_denied(request, "view asset online session info disabled")
         asset = self.request.query_params.get('asset_id')
         account = self.request.query_params.get('account')
         if asset is None or account is None: