Sessions in the Dev Portal

    The Session configuration is secure by default, which may require alteration if using HTTP or different domains for and portal_gui_host. Even if an attacker were to obtain a stale cookie, it would not benefit them since the cookie is encrypted. The encrypted session data may be stored either in Kong or the cookie itself.

    To enable sessions authentication, configure the following:

    • "secret":"<SET_SECRET>": The secret used in keyed HMAC generation. Although the Session Plugin’s default is a random string, the secret must be manually set for use with the Dev Portal since it must be the same across all Kong workers/nodes.
    • "storage":"kong": Where session data is stored. This value must be set to kong for use with the Dev Portal.
    • "cookie_lifetime":<NUMBER_OF_SECONDS_TO_LIVE>: The duration (in seconds) that the session will remain open; 3600 by default.
    • "cookie_renew":<NUMBER_OF_SECONDS_LEFT_TO_RENEW>: The duration (in seconds) of a session remaining at which point the Plugin renews the session; 600 by default.
    • : true by default. See for exceptions.
    • "cookie_samesite":"<SET_DEPENDING_ON_DOMAIN>": "Strict" by default. See Session Security for exceptions.
    • logout_methods
    • logout_query_arg
    • logout_post_arg

    For detailed descriptions of each configuration property, see the .

    The Session configuration is secure by default, so the cookie uses the Secure, HttpOnly, and directives.

    • If using HTTP instead of HTTPS:
    • If using different subdomains for the portal_api_url and , see the example below for Domains.

    If using HTTPS and hosting Dev Portal API and the Dev Portal GUI from the same domain, the following configuration could be used for Basic Auth:

    In testing, if using HTTP, the following configuration could be used instead:

    Domains