Kong · dndx · Nov 7, 2022 · Jun 6, 2022 · Oct 21, 2022 · Dec 13, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -93,6 +93,11 @@
 - **Rate-limiting**: The HTTP status code and response body for rate-limited
   requests can now be customized. Thanks, [@utix](https://github.com/utix)!
   [#8930](https://github.com/Kong/kong/pull/8930)
+- **Session**: Add new config `cookie_persistent` that allows browser to persist
+  cookies even if browser is closed. This defaults to `false` which means
+  cookies are not persistend across browser restarts. Thanks [@tschaume](https://github.com/tschaume)
+  for this contribution!
+  [#8187](https://github.com/Kong/kong/pull/8187)
 
 #### Performance
 

diff --git a/kong/plugins/session/schema.lua b/kong/plugins/session/schema.lua
@@ -56,6 +56,7 @@ return {
           { cookie_httponly = { type = "boolean", default = true } },
           { cookie_secure = { type = "boolean", default = true } },
           { cookie_discard = { type = "number", default = 10 } },
+          { cookie_persistent = { type = "boolean", default = false } },
           {
             storage = {
               required = false,

diff --git a/kong/plugins/session/session.lua b/kong/plugins/session/session.lua
@@ -15,15 +15,16 @@ local function get_opts(conf)
     secret  = conf.secret,
     storage  = conf.storage,
     cookie  = {
-      lifetime = conf.cookie_lifetime,
-      idletime = conf.cookie_idletime,
-      path     = conf.cookie_path,
-      domain   = conf.cookie_domain,
-      samesite = conf.cookie_samesite,
-      httponly = conf.cookie_httponly,
-      secure   = conf.cookie_secure,
-      renew    = conf.cookie_renew,
-      discard  = conf.cookie_discard,
+      lifetime   = conf.cookie_lifetime,
+      idletime   = conf.cookie_idletime,
+      path       = conf.cookie_path,
+      domain     = conf.cookie_domain,
+      samesite   = conf.cookie_samesite,
+      httponly   = conf.cookie_httponly,
+      secure     = conf.cookie_secure,
+      renew      = conf.cookie_renew,
+      discard    = conf.cookie_discard,
+      persistent = conf.cookie_persistent,
     }
   }
 

diff --git a/spec/03-plugins/30-session/01-access_spec.lua b/spec/03-plugins/30-session/01-access_spec.lua
@@ -4,6 +4,7 @@ local helpers = require "spec.helpers"
 local cjson = require "cjson"
 local lower = string.lower
 
+local COOKIE_LIFETIME = 3600
 
 for _, strategy in helpers.each_strategy() do
   describe("Plugin: Session (access) [#" .. strategy .. "]", function()
@@ -38,6 +39,11 @@ for _, strategy in helpers.each_strategy() do
         hosts = {"mockbin.org"},
       }
 
+      local route5 = bp.routes:insert {
+        paths    = {"/test5"},
+        hosts = {"httpbin.org"},
+      }
+
       assert(bp.plugins:insert {
         name = "session",
         route = {
@@ -82,6 +88,17 @@ for _, strategy in helpers.each_strategy() do
         }
       }
 
+      assert(bp.plugins:insert {
+        name = "session",
+        route = {
+          id = route5.id,
+        },
+        config = {
+          cookie_lifetime = COOKIE_LIFETIME,
+          cookie_persistent = true,
+        },
+      })
+
       consumer = db.consumers:insert({username = "coop"})
 
       credential = bp.keyauth_credentials:insert {
@@ -132,6 +149,16 @@ for _, strategy in helpers.each_strategy() do
         }
       }
 
+      bp.plugins:insert {
+        name = "key-auth",
+        route = {
+          id = route5.id,
+        },
+        config = {
+          anonymous = anonymous.id
+        }
+      }
+
       bp.plugins:insert {
         name = "request-termination",
         consumer = {
@@ -220,6 +247,35 @@ for _, strategy in helpers.each_strategy() do
         client:close()
       end)
 
+      it("plugin attaches Set-Cookie with max-age/expiry when cookie_persistent is true", function()
+        client = helpers.proxy_ssl_client()
+        local res = assert(client:send {
+          method = "GET",
+          path = "/test5/status/200",
+          headers = {
+            host = "httpbin.org",
+            apikey = "kong",
+          },
+        })
+        assert.response(res).has.status(200)
+        client:close()
+
+        local cookie = assert.response(res).has.header("Set-Cookie")
+        local cookie_name = utils.split(cookie, "=")[1]
+        assert.equal("session", cookie_name)
+
+        -- e.g. ["Set-Cookie"] =
+        --    "session=m1EL96jlDyQztslA4_6GI20eVuCmsfOtd6Y3lSo4BTY|15434724
+        --    06|U5W4A6VXhvqvBSf4G_v0-Q|DFJMMSR1HbleOSko25kctHZ44oo; Expires=Mon, 06 Jun 2022 08:30:27 GMT;
+        --    Max-Age=3600; Path=/; SameSite=Lax; Secure; HttpOnly"
+        local cookie_parts = utils.split(cookie, "; ")
+        assert.truthy(string.match(cookie_parts[2], "^Expires=(.*)"))
+        assert.equal("Max-Age=" .. COOKIE_LIFETIME, cookie_parts[3])
+        assert.equal("SameSite=Strict", cookie_parts[5])
+        assert.equal("Secure", cookie_parts[6])
+        assert.equal("HttpOnly", cookie_parts[7])
+      end)
+
       it("consumer headers are set correctly on request", function()
         local res, cookie
         local request = {