[I] bug: the `session` cookie field generated by OpenID Connect cannot be modified. [apisix]

Wed, 25 Feb 2026 01:37:52 -0800 


amberlipp opened a new issue, #13031:
URL: https://github.com/apache/apisix/issues/13031

   ### Current Behavior
   
   After successful OpenID Connect authentication, the generated cookie field 
is session and cannot be modified. If the cookie field of the business system 
is also session, the latter will overwrite the OIDC cookie session.
   
   ### Expected Behavior
   
   Add a `name` configuration parameter to `schema.session` of the OpenID 
Connect plugin to support customizing the cookie field name.
   example as fllow: 
   session = {
               type = "object",
               properties = {
                   name = {
                       type = "string",
                       description = "session name",
                       default = "OIDC_SESSION",
                   },
                   secret = {
                       type = "string",
                       description = "the key used for the encrypt and HMAC 
calculation",
                       minLength = 16,
                   },
   
   ### Error Logs
   
   _No response_
   
   ### Steps to Reproduce
   
   1. The cookie field generated by the business system is set to `session`.
   2. Deploy APISIX to connect to a certain authentication source.
   3. APISIX uses the header identity passthrough method when connecting to the 
business system.
   4. After successful APISIX SSO authentication, a cookie with the field 
`session` is generated, and requests to the business system are forwarded 
normally.
   5. If the business system response sets a cookie with the same field 
`session`, it will overwrite the `session` cookie generated by APISIX.
   
   ### Environment
   
   - APISIX version (run `apisix version`): 3.14
   - Operating system (run `uname -a`): Linux localhost.localdomain 
5.10.134-13.an8.x86_64 #1 SMP Mon Jan 9 10:39:46 CST 2023 x86_64 x86_64 x86_64 
GNU/Linux
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): nginx 
version: openresty/1.27.1.2
   - etcd version, if relevant (run `curl 
http://127.0.0.1:9090/v1/server_info`):
   - APISIX Dashboard version, if relevant:
   - Plugin runner version, for issues related to plugin runners:
   - LuaRocks version, for installation issues (run `luarocks --version`):
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to