Skip to content
Kong Logo | Kong Docs Logo
search
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Gateway
2.8.x
  • Home icon
  • Kong Gateway
  • Developer Portal
  • Configuration
  • Authentication
  • Sessions in the Dev Portal
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 3.5.x (latest)
  • 3.4.x
  • 3.3.x
  • 3.2.x
  • 3.1.x
  • 3.0.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • Archive (pre-2.6)
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • How does the Sessions Plugin work in the Dev Portal?
  • Configuration to Use the Sessions Plugin with the Dev Portal
  • Session Security
  • Example Configurations
    • HTTPS with the same domain for API and GUI
    • Domains
You are browsing documentation for an outdated version. See the latest documentation here.

Sessions in the Dev Portal

Important: Portal Session Configuration does not apply when using OpenID Connect for Dev Portal authentication. The following information assumes that the Dev Portal is configured with portal_auth other than openid-connect; for example, key-auth or basic-auth.

How does the Sessions Plugin work in the Dev Portal?

When a user logs in to the Dev Portal with their credentials, the Sessions Plugin will create a session cookie. The cookie is used for all subsequent requests and is valid to authenticate the user. The session has a limited duration and renews at a configurable interval, which helps prevent an attacker from obtaining and using a stale cookie after the session has ended.

The Session configuration is secure by default, which may require alteration if using HTTP or different domains for portal_api_url and portal_gui_host. Even if an attacker were to obtain a stale cookie, it would not benefit them since the cookie is encrypted. The encrypted session data may be stored either in Kong or the cookie itself.

Configuration to Use the Sessions Plugin with the Dev Portal

To enable sessions authentication, configure the following:

portal_auth = <set to desired auth type>
portal_session_conf = {
    "secret":"<SET_SECRET>",
    "cookie_name":"<SET_COOKIE_NAME>",
    "storage":"kong",
    "cookie_lifetime":<NUMBER_OF_SECONDS_TO_LIVE>,
    "cookie_renew":<NUMBER_OF_SECONDS_LEFT_TO_RENEW>,
    "cookie_secure":<SET_DEPENDING_ON_PROTOCOL>,
    "cookie_domain":"<SET_DEPENDING_ON_DOMAIN>",
    "cookie_samesite":"<SET_DEPENDING_ON_DOMAIN>"
}
  • "cookie_name":"<SET_COOKIE_NAME>": The name of the cookie
    • For example, "cookie_name":"portal_cookie"
  • "secret":"<SET_SECRET>": The secret used in keyed HMAC generation. Although the Session Plugin’s default is a random string, the secret must be manually set for use with the Dev Portal since it must be the same across all Kong workers/nodes.
  • "storage":"kong": Where session data is stored. This value must be set to kong for use with the Dev Portal.
  • "cookie_lifetime":<NUMBER_OF_SECONDS_TO_LIVE>: The duration (in seconds) that the session will remain open; 3600 by default.
  • "cookie_renew":<NUMBER_OF_SECONDS_LEFT_TO_RENEW>: The duration (in seconds) of a session remaining at which point the Plugin renews the session; 600 by default.
  • "cookie_secure":<SET_DEPENDING_ON_PROTOCOL>: true by default. See Session Security for exceptions.
  • "cookie_domain":<SET_DEPENDING_ON_DOMAIN>: Optional. See Session Security for exceptions.
  • "cookie_samesite":"<SET_DEPENDING_ON_DOMAIN>": "Strict" by default. See Session Security for exceptions.

⚠️Important: The following properties must not be altered from default for use with the Dev Portal:

  • logout_methods
  • logout_query_arg
  • logout_post_arg

For detailed descriptions of each configuration property, see the Session Plugin documentation.

Session Security

The Session configuration is secure by default, so the cookie uses the Secure, HttpOnly, and SameSite directives.

⚠️Important: The following properties must be altered depending on the protocol and domains in use:

  • If using HTTP instead of HTTPS: "cookie_secure": false
  • If using different subdomains for the portal_api_url and portal_gui_host, see the example below for Domains.

Important: Sessions are not invalidated when a user logs out if "storage": "cookie" (the default) is used. In that case, the cookie is deleted client-side. Only when session data is stored server-side with "storage": "kong" set is the session actively invalidated.

Example Configurations

HTTPS with the same domain for API and GUI

If using HTTPS and hosting Dev Portal API and the Dev Portal GUI from the same domain, the following configuration could be used for Basic Auth:

portal_auth = basic-auth
portal_session_conf = {
    "cookie_name":"$4m04$"
    "secret":"change-this-secret"
    "storage":"kong"
    "cookie_secure":true
}

In testing, if using HTTP, the following configuration could be used instead:

portal_auth = basic-auth
portal_session_conf = {
    "cookie_name":"04tm34l"
    "secret":"change-this-secret"
    "storage":"kong"
    "cookie_secure":false
}

Domains

The dev portal portal_gui_host and the dev portal api portal_api_url must share a domain or subdomain. The following example assumes subdomains of portal.xyz.com and portalapi.xyz.com. Set a subdomain such as "cookie_domain": ".xyz.com" and set cookie_samesite to off.

portal_auth = basic-auth
portal_session_conf = {
    "storage":"kong"
    "cookie_name":"portal_session"
    "cookie_domain": ".xyz.com"
    "secret":"super-secret"
    "cookie_secure":false
    "cookie_lifetime":31557600,
    "cookie_samesite":"off"
}
Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Gateway Enterprise Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2023