Configuration
This plugin is partially compatible with DB-less mode.
config.storage
must be set to cookie
. The kong
strategy uses
a database, and is not supported. The plugin currently lacks checks
for this invalid configuration in DB-less mode.
Compatible protocols
The Session plugin is compatible with the following protocols:
grpc
, grpcs
, http
, https
, tcp
, tls
, tls_passthrough
, udp
, ws
, wss
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
-
string required
The name of the plugin, in this case
session
.- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
name
. - If using the KongPlugin object in Kubernetes, the field is
plugin
.
- If using the Kong Admin API, Konnect API, declarative configuration, or decK files, the field is
-
string
An optional custom name to identify an instance of the plugin, for example
session_my-service
.The instance name shows up in Kong Manager and in Konnect, so it's useful when running the same plugin in multiple contexts, for example, on multiple services. You can also use it to access a specific plugin instance via the Kong Admin API.
An instance name must be unique within the following context:
- Within a workspace for Kong Gateway Enterprise
- Within a control plane or control plane group for Konnect
- Globally for Kong Gateway (OSS)
-
string
The name or ID of the service the plugin targets. Set one of these parameters if adding the plugin to a service through the top-level
/plugins
endpoint. Not required if using/services/{serviceName|Id}/plugins
. -
string
The name or ID of the route the plugin targets. Set one of these parameters if adding the plugin to a route through the top-level
/plugins
endpoint. Not required if using/routes/{routeName|Id}/plugins
. -
boolean default:
true
Whether this plugin will be applied.
-
record required
-
string referenceable encrypted default:
lt9BJW1n5RfhCxTbNIKqsj8THW7YNdXTA0VW6KQwBUwg
The secret that is used in keyed HMAC generation.
-
string default:
cookie
Must be one of:cookie
,kong
Determines where the session data is stored.
kong
: Stores encrypted session data into Kong’s current database strategy; the cookie will not contain any session data.cookie
: Stores encrypted session data within the cookie itself.
-
string default:
default
The session audience, which is the intended target application. For example
"my-application"
.
-
number default:
900
The session cookie idle time, in seconds.
-
number default:
3600
The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.
-
number default:
86400
The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.
-
number default:
10
The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.
-
string default:
session
The name of the cookie.
-
string default:
/
The resource in the host where the cookie is available.
-
string
The domain with which the cookie is intended to be exchanged.
-
string default:
Strict
Must be one of:Strict
,Lax
,None
,Default
Determines whether and how a cookie may be sent with cross-site requests.
-
boolean default:
true
Applies the
HttpOnly
tag so that the cookie is sent only to a server.
-
boolean default:
true
Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.
-
boolean default:
false
Enables or disables persistent sessions.
-
string default:
remember
Persistent session cookie name. Use with the
remember
configuration parameter.
-
number default:
604800
The persistent session rolling timeout window, in seconds.
-
number default:
2592000
The persistent session absolute timeout limit, in seconds.
-
set of type
string
Must be one of:id
,audience
,subject
,timeout
,idling-timeout
,rolling-timeout
,absolute-timeout
List of information to include, as headers, in the response to the downstream.
-
set of type
string
Must be one of:id
,audience
,subject
,timeout
,idling-timeout
,rolling-timeout
,absolute-timeout
List of information to include, as headers, in the response to the downstream.
-
boolean default:
false
-
set of type
string
default:POST, DELETE
Must be one of:GET
,POST
,DELETE
A set of HTTP methods that the plugin will respond to.
-
string default:
session_logout
The query argument passed to logout requests.
-
string default:
session_logout
The POST argument passed to logout requests. Do not change this property.
-
-
number
Deprecation notice:
-
number
Deprecation notice:
-
number
Deprecation notice:
-
number
Deprecation notice:
-
string
Deprecation notice:
-
boolean
Deprecation notice:
-
boolean
Deprecation notice: