Sessions in the Dev Portal
Important: Portal Session Configuration does not apply when using OpenID Connect for Dev Portal authentication. The following information assumes that the Dev Portal is configured with
portal_auth
other thanopenid-connect
; for example,key-auth
orbasic-auth
.
How does the Sessions plugin work in the Dev Portal?
When a user logs in to the Dev Portal with their credentials, the Sessions plugin creates a session cookie. The cookie is used for all subsequent requests and is valid to authenticate the user. The session has a limited duration and renews at a configurable interval, which helps prevent an attacker from obtaining and using a stale cookie after the session has ended.
The session configuration is secure by default, which may require alteration if using HTTP or different domains for portal_api_url and portal_gui_host. Even if an attacker were to obtain a stale cookie, it would not benefit them since the cookie is encrypted. The encrypted session data may be stored either in Kong or the cookie itself.
Configuration to use the Sessions plugin with the Dev Portal
To enable sessions authentication, configure the following:
portal_auth = <set to desired auth type>
portal_session_conf = {
"secret":"<SET_SECRET>",
"cookie_name":"<SET_COOKIE_NAME>",
"storage":"kong",
"rolling_timeout":<NUMBER_OF_SECONDS_UNTIL_RENEWAL>,
"cookie_secure":<SET_DEPENDING_ON_PROTOCOL>,
"cookie_domain":"<SET_DEPENDING_ON_DOMAIN>",
"cookie_samesite":"<SET_DEPENDING_ON_DOMAIN>"
}
"cookie_name":"<SET_COOKIE_NAME>"
: The name of the cookie- For example,
"cookie_name":"portal_cookie"
- For example,
"secret":"<SET_SECRET>"
: The secret used in keyed HMAC generation. Although the Session Plugin’s default is a random string, thesecret
must be manually set for use with the Dev Portal since it must be the same across all Kong workers/nodes."storage":"kong"
: Where session data is stored. This value must be set tokong
for use with the Dev Portal."rolling_timeout":<NUMBER_OF_SECONDS_UNTIL_RENEWAL>
: Specifies, in seconds, how long the session can be used until it needs to be renewed. 3600 by default."cookie_secure":<SET_DEPENDING_ON_PROTOCOL>
:true
by default. See Session Security for exceptions."cookie_domain":<SET_DEPENDING_ON_DOMAIN>:
Optional. See Session Security for exceptions."cookie_same_site":"<SET_DEPENDING_ON_DOMAIN>"
:"Strict"
by default. See Session Security for exceptions.
The following properties must not be altered from default for use with the Dev Portal:
logout_methods
logout_query_arg
logout_post_arg
For detailed descriptions of each configuration property, see the Session plugin documentation.
Session security
The Session configuration is secure by default, so the cookie uses the Secure, HttpOnly, and SameSite directives.
The following properties must be altered depending on the protocol and domains in use:
- If using HTTP instead of HTTPS:
"cookie_secure": false
- If using different subdomains for the portal_api_url and portal_gui_host, see the example below for Domains.
Important: Sessions are not invalidated when a user logs out if
"storage": "cookie"
(the default) is used. In that case, the cookie is deleted client-side. Only when session data is stored server-side with"storage": "kong"
set is the session actively invalidated.
Example Configurations
HTTPS with the same domain for API and GUI
If using HTTPS and hosting Dev Portal API and the Dev Portal GUI from the same domain, the following configuration could be used for Basic Auth:
portal_auth = basic-auth
portal_session_conf = {
"cookie_name":"$4m04$"
"secret":"change-this-secret"
"storage":"kong"
"cookie_secure":true
}
In testing, if using HTTP, the following configuration could be used instead:
portal_auth = basic-auth
portal_session_conf = {
"cookie_name":"04tm34l"
"secret":"change-this-secret"
"storage":"kong"
"cookie_secure":false
}
Domains
The dev portal portal_gui_host
and the dev portal api portal_api_url
must share a domain or subdomain. The following example assumes subdomains of portal.xyz.com
and portalapi.xyz.com
. Set a subdomain such as "cookie_domain": ".xyz.com"
and set cookie_same_site
to off
.
portal_auth = basic-auth
portal_session_conf = {
"storage":"kong"
"cookie_name":"portal_session"
"cookie_domain": ".xyz.com"
"secret":"super-secret"
"cookie_secure":false
"rolling_timeout":31557600,
"cookie_same_site":"off"
}