In order to give you better service we use cookies. By continuing to use our website, you agree to the use of cookies as described in our Cookie Policy

Konnect Plus: Pay-as-you-go from startup friendly to enterprise scale. See Pricing →
Kong Logo
search
Docs
Kong Konnect Platform Konnect Platform Konnect Cloud Kong Gateway (Enterprise) Kong Mesh Plugin Hub
Open Source Kong Gateway (OSS) decK Kubernetes Ingress Controller Insomnia Kuma
Contribute to the docs Contribution guidelines
Support Community Kong U Demos & Labs
Get Started
Plugin Hub
header icon

Session

The Kong Session Plugin can be used to manage browser sessions for APIs proxied through the Kong API Gateway. It provides configuration and management for session data storage, encryption, renewal, expiry, and sending browser cookies. It is built using lua-resty-session.

For information about configuring and using the Sessions plugin with the Dev Portal, see Sessions in the Dev Portal.

Configuration Reference

This plugin is partially compatible with DB-less mode.

In DB-less mode, you configure Kong Gateway declaratively. Therefore, the Admin API is mostly read-only. The only tasks it can perform are all related to handling the declarative config, including:

  • setting a target's health status in the load balancer
  • validating configurations against schemas
  • uploading the declarative configuration using the /config endpoint

config.storage must be set to cookie. The kong strategy uses a database, and is not supported. The plugin currently lacks checks for this invalid configuration in DB-less mode.

Enabling the plugin on a service

Admin API
Kubernetes
Declarative (YAML)
Konnect Cloud
Manager

For example, configure this plugin on a service by making the following request:

1
2
3

$ curl -X POST http://<admin-hostname>:8001/services/<service>/plugins \
    --data "name=session"  \
    --data "config.secret=opensesame"

<service> is the id or name of the service that this plugin configuration will target.

First, create a KongPlugin resource:

1
2
3
4
5
6
7

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: <session-example>
config: 
  secret: opensesame
plugin: session

Next, apply the KongPlugin resource to a Service by annotating the Service as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

apiVersion: v1
kind: Service
metadata:
  name: <service>
  labels:
    app: <service>
  annotations:
    konghq.com/plugins: <session-example>
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
    name: <service>
  selector:
    app: <service>

<service> is the id or name of the service that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

For example, configure this plugin on a service by adding this section to your declarative configuration file:

1
2
3
4
5

plugins:
- name: session
  service: <service>
  config: 
    secret: opensesame

<service> is the id or name of the service that this plugin configuration will target.

Configure this plugin on a service:

  1. In Konnect Cloud, select the service on the ServiceHub page.
  2. Scroll down to Versions and select the version.
  3. Scroll down to Plugins and click New Plugin.
  4. Find and select the Session plugin.
  5. Click Create.

Configure this plugin on a service:

  1. In Kong Manager, select the workspace.
  2. From the Dashboard, scroll down to Services and click View for the service row.
  3. Scroll down to plugins and click Add Plugin.

  4. Find and select the Session plugin.

    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  5. If the option is available, select Scoped.
  6. Add the service name and ID to the Service field if it is not already prefilled.
  7. Click Create.

Enabling the plugin on a route

Admin API
Kubernetes
Declarative (YAML)
Konnect Cloud
Manager

For example, configure this plugin on a route with:

1
2
3

$ curl -X POST http://<admin-hostname>:8001/routes/<route>/plugins \
    --data "name=session"  \
    --data "config.secret=opensesame"

<route> is the id or name of the route that this plugin configuration will target.

First, create a KongPlugin resource:

1
2
3
4
5
6
7

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: <session-example>
config: 
  secret: opensesame
plugin: session

Then, apply it to an ingress (Route or Routes) by annotating the ingress as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

apiVersion: networking/v1beta1
kind: Ingress
metadata:
  name: <route>
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/plugins: <session-example>
spec:
  rules:
  - host: examplehostname.com
    http:
      paths:
      - path: /bar
        backend:
          serviceName: echo
          servicePort: 80

<route> is the id or name of the route that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

For example, configure this plugin on a route by adding this section to your declarative configuration file:

1
2
3
4
5

plugins:
- name: session
  route: <route>
  config: 
    secret: opensesame

<route> is the id or name of the route that this plugin configuration will target.

Configure this plugin on a route:

  1. In Konnect Cloud, select the service from the ServiceHub page.
  2. Scroll down to Versions and select the version.
  3. Select the route.
  4. Scroll down to Plugins and click Add Plugin.
  5. Find and select the Session plugin.
  6. Click Create.

Configure this plugin on a route:

  1. In Kong Manager, select the workspace.
  2. From the Dashboard, select Routes in the left navigation.
  3. Click View for the route row.
  4. Scroll down to plugins and click Add Plugin.

  5. Find and select the Session plugin.

    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  6. If the option is available, select Scoped.
  7. Add the Route ID if it is not already prefilled.
  8. Click Create.

Enabling the plugin globally

A plugin which is not associated to any service, route, or consumer is considered global, and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.

Admin API
Kubernetes
Declarative (YAML)
Kong Manager

For example, configure this plugin globally with:

1
2
3

$ curl -X POST http://<admin-hostname>:8001/plugins/ \
    --data "name=session"  \
    --data "config.secret=opensesame"

Create a KongClusterPlugin resource and label it as global:

1
2
3
4
5
6
7
8
9
10
11

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: <global-session>
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: \"true\"
config: 
  secret: opensesame
plugin: session

For example, configure this plugin using the plugins: entry in the declarative configuration file:

1
2
3
4

plugins:
- name: session
  config: 
    secret: opensesame

Configure this plugin globally:

  1. In Kong Manager, select the workspace.
  2. From the Dashboard, select Plugins in the left navigation.
  3. Click New Plugin.

  4. Find and select the Session plugin.

    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  5. If the option is available, set the plugin scope to Global.
  6. Click Create.

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

Form Parameter Description
name

Type: string		 The name of the plugin to use, in this case session.
service.id

Type: string		 The ID of the Service the plugin targets.
route.id

Type: string		 The ID of the Route the plugin targets.
enabled

Type: boolean

Default value: true		 Whether this plugin will be applied.
config.secret
optional

Type: string

Default value: random number generated from kong.utils.random_string

The secret that is used in keyed HMAC generation.​
config.cookie_name
optional

Type: string

Default value: session

The name of the cookie.
config.cookie_lifetime
optional

Type: number

Default value: 3600

The duration in seconds that the session will remain open.
config.cookie_idletime
optional

Type: number

The cookie idle time (in seconds); if a cookie is not used for this time period, the session becomes invalid. This value is not set by default, meaning idle time checks are disabled.
config.cookie_renew
optional

Type: number

Default value: 600

The remaining duration in seconds of a session at which point the Plugin renews the session.
config.cookie_path
optional

Type: string

Default value: /

The resource in the host where the cookie is available.
config.cookie_domain
optional

Type: string

Default value: Set using Nginx variable host, but may be overridden

The domain with which the cookie is intended to be exchanged.
config.cookie_samesite
optional

Type: string

Default value: Strict

Determines whether and how a cookie may be sent with cross-site requests. Strict: The browser will send cookies only if the request originated from the website that set the cookie. Lax: Same-site cookies are withheld on cross-domain subrequests, but will be sent when a user navigates to the URL from an external site, for example, by following a link. None or off: Disables the same-site attribute so that a cookie may be sent with cross-site requests. None requires the Secure attribute (cookie_secure) in latest browser versions. For more info, see the SameSite cookies docs on MDN.’
config.cookie_httponly
optional

Type: boolean

Default value: true

Applies the HttpOnly tag so that the cookie is sent only to a server. See the Restrict access to cookies docs on MDN.
config.cookie_secure
optional

Type: boolean

Default value: true

Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol. See the Restrict access to cookies docs on MDN.
config.cookie_discard
optional

Type: number

Default value: 10

The duration in seconds after which an old session’s TTL is updated that an old cookie is discarded.
config.storage
optional

Type: string

Default value: cookie

Determines where the session data is stored. kong: Stores encrypted session data into Kong’s current database strategy (e.g. Postgres, Cassandra); the cookie will not contain any session data. cookie: Stores encrypted session data within the cookie itself.
config.logout_methods
optional

Type: array of string elements

Default value: ["POST", "DELETE"]

The methods that may be used to end sessions: POST, DELETE, GET.
config.logout_query_arg
optional

Type: string

Default value: session_logout

The query argument passed to logout requests.
config.logout_post_arg
optional

Type: string

Default value: session_logout

The POST argument passed to logout requests. Do not change this property.

Usage

The Kong Session Plugin can be configured globally or per entity (e.g., Service, Route) and is always used in conjunction with another Kong Authentication Plugin. This Plugin is intended to work similarly to the multiple authentication setup.

After the Kong Session Plugin is enabled in conjunction with an Authentication Plugin, it will run prior to credential verification. If no session is found, then the authentication Plugin will run and credentials will be checked as normal. If the credential verification is successful, then the session Plugin will create a new session for usage with subsequent requests.

When a new request comes in, and a session is already present, then the Kong Session Plugin will attach the ngx.ctx variables to let the authentication Plugin know that authentication has already occurred via session validation. Because this configuration is a logical OR scenario, and it is desired that anonymous access be forbidden, then the Request Termination Plugin should be configured on an anonymous consumer. Failure to do so will allow unauthorized requests. For more information, see multiple authentication.

Set up With a Database

For usage with Key Auth Plugin

  1. Create an example Service and a Route

    Issue the following cURL request to create example-service pointing to mockbin.org, which will echo the request:

    1
2
3
4

    $ curl -i -X POST \
  --url http://localhost:8001/services/ \
  --data 'name=example-service' \
  --data 'url=http://mockbin.org/request'

    Add a route to the Service:

    1
2
3

    $ curl -i -X POST \
  --url http://localhost:8001/services/example-service/routes \
  --data 'paths[]=/sessions-test'

    The URL http://localhost:8000/sessions-test will now echo whatever is being requested.

  2. Configure the key-auth Plugin for the Service

    Issue the following cURL request to add the key-auth Plugin to the Service:

    1
2
3

    $ curl -i -X POST \
  --url http://localhost:8001/services/example-service/plugins/ \
  --data 'name=key-auth'

    Be sure to note the created Plugin id - you will need it later.

  3. Verify that the key-auth Plugin is properly configured

    Issue the following cURL request to verify that the [key-auth][key-auth] Plugin was properly configured on the Service:

    1
2

    $ curl -i -X GET \
  --url http://localhost:8000/sessions-test

    Since the required header or parameter apikey was not specified, and anonymous access was not yet enabled, the response should be 401 Unauthorized.

  4. Create a Consumer and an anonymous Consumer

    Every request proxied and authenticated by Kong must be associated with a Consumer. You’ll now create a Consumer named anonymous_users by issuing the following request:

    1
2
3

    $ curl -i -X POST \
  --url http://localhost:8001/consumers/ \
  --data "username=anonymous_users"

    Be sure to note the Consumer id - you will need it later.

    Now create a consumer that will authenticate via sessions:

    1
2
3

    $ curl -i -X POST \
  --url http://localhost:8001/consumers/ \
  --data "username=fiona"

  5. Provision key-auth credentials for your Consumer

    1
2
3

    $ curl -i -X POST \
  --url http://localhost:8001/consumers/fiona/key-auth/ \
  --data 'key=open_sesame'

  6. Enable anonymous access

    You’ll now re-configure the key-auth Plugin to permit anonymous access by issuing the following request (replace the uuids below with the id value from previous steps):

    1
2
3

    $ curl -i -X PATCH \
  --url http://localhost:8001/plugins/<your-key-auth-plugin-id> \
  --data "config.anonymous=<anonymous_consumer_id>"

  7. Add the Kong Session Plugin to the service

    1
2
3
4

    $ curl -X POST http://localhost:8001/services/example-service/plugins \
    --data "name=session"  \
    --data "config.storage=kong" \
    --data "config.cookie_secure=false"

    Note: cookie_secure is true by default, and should always be true, but is set to false for the sake of this demo to avoid using HTTPS.

  8. Add the Request Termination Plugin

    To disable anonymous access to only allow users access via sessions or via authentication credentials, enable the Request Termination Plugin.

    1
2
3
4
5

    $ curl -X POST http://localhost:8001/services/example-service/plugins \
    --data "name=request-termination"  \
    --data "config.status_code=403" \
    --data "config.message=So long and thanks for all the fish!" \
    --data "consumer.id=<anonymous_consumer_id>"

Set up Without a Database

Add all these to the declarative config file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

services:
  - name: example-service
    url: http://mockbin.org/request

routes:
  - service: example-service
    paths: ['/sessions-test']

consumers:
  - username: anonymous_users
    # manually set to fixed uuid in order to use it in key-auth plugin
    id: 81823632-10c0-4098-a4f7-31062520c1e6
  - username: fiona

keyauth_credentials:
  - consumer: fiona
    key: open_sesame

plugins:
  - name: key-auth
    service: example-service
    config:
      # using the anonymous consumer fixed uuid (can't use the username)
      anonymous: 81823632-10c0-4098-a4f7-31062520c1e6
      # cookie_secure is true by default, and should always be true,
      # but is set to false for the sake of this demo in order to avoid using HTTPS.
      cookie_secure: false
  - name: session
    config:
      storage: kong
      cookie_secure: false
  - name: request-termination
    service: example-service
    consumer: anonymous_users
    config:
      status_code: 403
      message: 'So long and thanks for all the fish!'

Verification

  1. Check that Anonymous requests are disabled:

    1
2

      $ curl -i -X GET \
    --url http://localhost:8000/sessions-test

    Should return 403.

  2. Verify that a user can authenticate via sessions

    1
2

    $ curl -i -X GET \
  --url http://localhost:8000/sessions-test?apikey=open_sesame

    The response should now have the Set-Cookie header. Make sure that this cookie works.

    If cookie looks like this:

    1

    Set-Cookie: session=emjbJ3MdyDsoDUkqmemFqw..|1544654411|4QMKAE3I-jFSgmvjWApDRmZHMB8.; Path=/; SameSite=Strict; HttpOnly

    Use it like this:

    1
2
3

      $ curl -i -X GET \
    --url http://localhost:8000/sessions-test \
    -H "cookie:session=emjbJ3MdyDsoDUkqmemFqw..|1544654411|4QMKAE3I-jFSgmvjWApDRmZHMB8."

    This request should succeed, and Set-Cookie response header will not appear until the renewal period.

  3. You can also now verify cookie is attached to the browser session: Navigate to http://localhost:8000/sessions-test, which should return 403 and see the message “So long and thanks for all the fish!”
  4. In the same browser session, navigate to http://localhost:8000/sessions-test?apikey=open_sesame, which should return 200, authenticated via key-auth key query param.
  5. In the same browser session, navigate to http://localhost:8000/sessions-test, which will now use the session cookie that was granted by the Kong Session Plugin.

Defaults

By default, the Kong Session Plugin favors security using a Secure, HTTPOnly, Samesite=Strict cookie. cookie_domain is automatically set using Nginx variable host, but can be overridden.

Session Data Storage

The session data can be stored in the cookie itself (encrypted) storage=cookie, or inside Kong. The session data stores these context variables:

1
2
3

ngx.ctx.authenticated_consumer.id
ngx.ctx.authenticated_credential.id
ngx.ctx.authenticated_groups

The plugin also sets a ngx.ctx.authenticated_session for communication between the access and header_filter phases in the plugin.

Groups

Authenticated groups are stored on ngx.ctx.authenticated_groups from other authentication plugins and the session plugin will store them in the data of the current session. Since the session plugin runs before authentication plugins, it will also set authenticated_groups associated headers.

Kong Storage Adapter

The Kong Session Plugin extends the functionality of lua-resty-session with its own session data storage adapter when storage=kong. This will store encrypted session data into the current database strategy (e.g., Postgres, Cassandra, etc.) and the cookie will not contain any session data. Data stored in the database is encrypted and the cookie will contain only the session id, expiration time, and HMAC signature. Sessions will use the built-in Kong DAO ttl mechanism that destroys sessions after specified cookie_lifetime unless renewal occurs during normal browser activity. It is recommended that the application logout via XHR request (or something similar) to manually handle redirects.

Logging Out

It is typical to provide users the ability to log out (i.e., to manually destroy) their current session. Logging out is possible with either query params or POST params in the request URL. The config’s logout_methods allows the Plugin to limit logging out based on the HTTP verb. When logout_query_arg is set, it will check the presence of the URL query param specified, and likewise when logout_post_arg is set, it will check the presence of the specified variable in the request body. Allowed HTTP verbs are GET, DELETE, and POST. When there is a session present and the incoming request is a logout request, the Kong Session Plugin will return a 200 before continuing in the Plugin run loop, and the request will not continue to the upstream.

Known Limitations

Due to limitations of OpenResty, the header_filter phase cannot connect to the database, which poses a problem for initial retrieval of a cookie (fresh session). There is a small window of time where the cookie is sent to client, but the database insert has not yet been committed because the database call is in a ngx.timer thread. Current workaround is to wait some interval of time (~100-500ms) after Set-Cookie header is sent to the client before making subsequent requests. This is not a problem during session renewal period as renew happens in access phase.

image