You are browsing documentation for an outdated plugin version.
Configuration
This plugin is partially compatible with DB-less mode.
config.storage
must be set to cookie
. The kong
strategy uses
a database, and is not supported. The plugin currently lacks checks
for this invalid configuration in DB-less mode.
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
-
string required
The name of the plugin, in this case
session
.- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
name
. - If using the KongPlugin object in Kubernetes, the field is
plugin
.
- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
-
string
The name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level
/plugins
endpoint. Not required if using/services/{serviceName|Id}/plugins
. -
string
The name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level
/plugins
endpoint. Not required if using/routes/{routeName|Id}/plugins
. -
boolean default:
true
Whether this plugin will be applied.
-
record required
-
string referenceable encrypted default:
UnXKQHe8y4hyiLqpH0BX9pSz4blZuZvIFhg11Zv87dEe
The secret that is used in keyed HMAC generation.
-
string default:
session
The name of the cookie.
-
number default:
3600
The duration in seconds that the session will remain open.
-
number
The cookie idle time (in seconds); if a cookie is not used for this time period, the session becomes invalid. This value is not set by default, meaning idle time checks are disabled.
-
number default:
600
The remaining duration in seconds of a session at which point the Plugin renews the session.
-
string default:
/
The resource in the host where the cookie is available.
-
string
The domain with which the cookie is intended to be exchanged.
-
string default:
Strict
Must be one of:Strict
,Lax
,None
,off
Determines whether and how a cookie may be sent with cross-site requests.
-
Strict
: The browser sends cookies only if the request originated from the website that set the cookie. -
Lax
: Same-site cookies are withheld on cross-domain subrequests, but are sent when a user navigates to the URL from an external site, for example, by following a link. -
None
oroff
: Disables the same-site attribute so that a cookie may be sent with cross-site requests.None
requires the Secure attribute (cookie_secure
) in latest browser versions. For more information, see the SameSite cookies docs on MDN.
-
-
boolean default:
true
Applies the
HttpOnly
tag so that the cookie is sent only to a server. See the Restrict access to cookies docs on MDN.
-
boolean default:
true
Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol. See the Restrict access to cookies docs on MDN.
-
number default:
10
The duration in seconds after which an old session’s TTL is updated that an old cookie is discarded.
-
string default:
cookie
Must be one of:cookie
,kong
Determines where the session data is stored.
kong
: Stores encrypted session data into Kong’s current database strategy; the cookie will not contain any session data.cookie
: Stores encrypted session data within the cookie itself.
-
array of type
string
default:POST, DELETE
Must be one of:GET
,POST
,DELETE
The methods that may be used to end sessions: POST, DELETE, GET.
-
string default:
session_logout
The query argument passed to logout requests.
-
string default:
session_logout
The POST argument passed to logout requests. Do not change this property.
-