Sessions in Kong Manager

How does the Sessions Plugin work in Kong Manager?

When a user logs in to Kong Manager with their credentials, the Sessions Plugin will create a session cookie. The cookie is used for all subsequent requests and is valid to authenticate the user. The session has a limited duration and renews at a configurable interval, which helps prevent an attacker from obtaining and using a stale cookie after the session has ended.

The Session configuration is secure by default, which may require alteration if using HTTP or different domains for the Admin API and Kong Manager. Even if an attacker were to obtain a stale cookie, it would not benefit them since the cookie is encrypted. The encrypted session data may be stored either in Kong or the cookie itself.

Configuration to Use the Sessions Plugin with Kong Manager

To enable sessions authentication, configure the following:

  1. enforce_rbac = on
  2. admin_gui_auth = <set to desired auth type>
  3. admin_gui_session_conf = {
  4.     "secret":"<SET_SECRET>",
  5.     "cookie_name":"<SET_COOKIE_NAME>",
  6.     "storage":"<SET_STORAGE>",
  7.     "cookie_lifetime":<NUMBER_OF_SECONDS_TO_LIVE>,
  8.     "cookie_renew":<NUMBER_OF_SECONDS_LEFT_TO_RENEW>
  9.     "cookie_secure":<SET_DEPENDING_ON_PROTOCOL>
  10.     "cookie_samesite":"<SET_DEPENDING_ON_DOMAIN>"
  11. }
  • "cookie_name":"<SET_COOKIE_NAME>": The name of the cookie
    • For example, "cookie_name":"kong_cookie"
  • "secret":"<SET_SECRET>": The secret used in keyed HMAC generation. Although the Session Plugin’s default is a random string, the secret must be manually set for use with Kong Manager since it must be the same across all Kong workers/nodes.
  • "storage":"<SET_STORAGE>": Where session data is stored. It is "cookie" by default, but may be more secure if set to "kong" since access to the database would be required.
  • "cookie_lifetime":<NUMBER_OF_SECONDS_TO_LIVE>: The duration (in seconds) that the session will remain open; 3600 by default.
  • "cookie_renew":<NUMBER_OF_SECONDS_LEFT_TO_RENEW>: The duration (in seconds) of a session remaining at which point the Plugin renews the session; 600 by default.
  • "cookie_secure":<SET_DEPENDING_ON_PROTOCOL>: true by default. See Session Security for exceptions.
  • "cookie_samesite":"<SET_DEPENDING_ON_DOMAIN>": "Strict" by default. See Session Security for exceptions.

For detailed descriptions of each configuration property, learn more in the Session Plugin documentation.

Session Security

The Session configuration is secure by default, so the cookie uses the Secure, HttpOnly, and SameSite directives.

The following properties must be altered depending on the protocol and domains in use:

  • If using HTTP instead of HTTPS: "cookie_secure": false
  • If using different domains for the Admin API and Kong Manager: "cookie_samesite": "off"

Example Configurations

If using HTTPS and hosting Kong Manager and the Admin API from the same domain, the following configuration could be used for Basic Auth:

  1. enforce_rbac = on
  2. admin_gui_auth = basic-auth
  3. admin_gui_session_conf = {
  4.     "cookie_name":"$4m04$"
  5.     "secret":"change-this-secret"
  6.     "storage":"kong"
  7. }

In testing, if using HTTP, the following configuration could be used instead:

  1. enforce_rbac = on
  2. admin_gui_auth = basic-auth
  3. admin_gui_session_conf = {
  4.     "cookie_name":"04tm34l"
  5.     "secret":"change-this-secret"
  6.     "storage":"kong"
  7.     "cookie_secure":false
  8. }