Sessions in Kong Manager

The Session configuration is secure by default, which may if using HTTP or different domains for the Admin API and Kong Manager. Even if an attacker were to obtain a stale cookie, it would not benefit them since the cookie is encrypted. The encrypted session data may be stored either in Kong or the cookie itself.

To enable sessions authentication, configure the following:

For detailed descriptions of each configuration property, learn more in the .

The Session configuration is secure by default, so the cookie uses the , and SameSite directives.

• If using HTTP instead of HTTPS: "cookie_secure": false
• If using different domains for the Admin API and Kong Manager: "cookie_samesite": "off"

Important: Sessions are not invalidated when a user logs out if "storage": "cookie" (the default) is used. In that case, the cookie is deleted client-side. Only when session data is stored server-side with set is the session actively invalidated.

If using HTTPS and hosting Kong Manager and the Admin API from the same domain, the following configuration could be used for Basic Auth: