Closed Subbu3992 closed 1 year ago
bungle
commented
3 years ago @Subbu3992, sure, you can configure the library dynamically in Lua code. You don't need to use Nginx variables for that.
local session = require "resty.session".open { cookie = { domain = "a.com" } }This is how Kong session plugin does it: https://github.com/Kong/kong-plugin-session/blob/master/kong/plugins/session/session.lua#L12-L43
bungle
commented
3 years ago If you mean can you send cookie that browser sends to multiple different domains, the answer is that you cannot. But that is by cookie specification.
shawnchapla-8451
commented
1 year ago A follow-on to this thread ... we're using an OSS plugin for Kong v3.x (so the pre-v4 version of lua-resty-session) that is built on lua-resty-openidc, and have a use case where we need the session cookie to be set for multiple domains. In this scenario, we're using the Kong gateway with a "vanity" name (e.g., www.app.com) to serve up content for a SPA which in turn calls APIs on the same gateway at a different domain (e.g., api.company.com). It's the same Kong gateway, and we need the session cookie set when the browser originally accesses www.app.com to also be sent to the APIs at api.company.com.
I found a blog talking about apps setting multiple cookies with the same name and value but different domain settings. Is it possible to do something like that with lua-resty-session?
Open Question:
Actual Need:
We are using common kong gateway for multiple applications, that are in different domain [sample.ex.com, asample.xe.com].
Session values configured through KONG_NGINX_CONFIG_FILE as below
set $session_cookie_domain ex.com; [only one domain input allowed and could not use patterns as well]
in the above case kong could not serve other application asample.xe.com and errors out with "request to the redirect_uri_path but there's no session state found" after OIDC authentication.
Is it feasible to have multiple cookie domains in lua-resty-session?