Open lorenzoaiello opened 4 years ago
I've been having a similar issue (although I am using shm
storage). What finally fixed it for me was using a single nginx worker:
worker_processes 1;
Another workaround explained here also worked (this one lets you use any number of workers):
http {
init_by_lua_block {
require('resty.session')
}
}
I'd previously tried the workarounds from here: disabling checks, setting a session secret and disabling encryption (set $session_cipher none
), but they did not work.
Speculation: it seems like there's some initialization work that has to happen in the main nginx process before the workers start up. If you defer loading of resty.session until your access_by_lua
phase, it creates some kind of race between the workers (even when they should all be using identical configuration?).
I had this issue and was resolved by adding session secret on kong KONG_NGINX_PROXY_SET: "$$session_secret <secret>"
@ ahmednasir91, thanks, it's working
I'm also getting this error with the redis session provider.
Any solutions?
Hi @mamacdon, I think the issue is caused by that every worker process generates its own different session secret, and thus cannot decrypt the session cookie created by another worker process.
Have a look at https://github.com/bungle/lua-resty-session/issues/23#issuecomment-1223717732 and hope it could help you.
I've got an issue I've been chasing down for the last few days and I suspect that it's a configuration issue on my side, but I can't figure out what it is. Any help would be appreciated.
Expected Behavior
Users should be able to log in once through the OIDC user flow and maintain that session until the token expires.
Current Behavior
Accessing a webpage runs the user through the OIDC workflow successfully, but all static assets it tries to access redirect to restart the authentication workflow. Navigating to a new page also re-runs the authentication workflow.
The request FROM
/callback
after authentication has the correctSet-Cookie
payload and it is being passed to the subsequent request.The subsequent request to
/queryview/
after authentication (4th line down) has the correctCookie
header, but gets a new session cookie returned.If you look at the logs towards the bottom, you can see that something is happening to the session between requests.
Infrastructure
In case it's relevant, this is running on three EC2 instances in AWS behind an NLB which is doing SSL termination (re-establishing SSL to Kong).
Troubleshooting Attempted
I've already tried multiple things, including:
Kong Configuration File
OIDC Plugin Configuration
Log Files