You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/proposals/session-persistence.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -142,7 +142,7 @@ Users can configure [sessionPersistence](https://gateway-api.sigs.k8s.io/referen
142
142
| no matching spec field |`secure`| Enabled by default for all routes. |
143
143
| no matching spec field |`httpOnly`| Enabled by default for all routes. |
144
144
145
-
Note: The default `secure` and `httpOnly` settings may change in the future if we need to align with the Gateway API specification.
145
+
Note: The default `secure` and `httpOnly` settings may change in the future if we need to align with the Gateway API specification. Enabling `secure` limits session persistence to HTTPS connections to the Gateway, which can be a limitation for HTTP-only clients, and `httpOnly` prevents JavaScript from accessing the cookie. These limitations will be described in more detail in the Session Persistence user documentation.
146
146
147
147
#### Domain and Path selection for Routes
148
148
@@ -177,11 +177,11 @@ There are no existing conformance tests for session persistence, so we will add
177
177
178
178
The main security concern is how far session cookies reach. This design keeps cookies host-only by never setting the domain attribute, and for HTTPRoutes it scopes cookies by route path (or `/` when no safe common prefix exists). That limits both cross-host and cross-path leakage and reduces the impact of a compromised cookie.
179
179
180
-
We also set `secure` and `httponly` on the session cookie by default as a hardening measure. If Gateway API later adds these as fields with different defaults, we’ll treat any change in behavior as an experimental-API breaking change. This will be documented in the Session Persistence guide, and upgrade guidance will be provided so users can explicitly configure these cookie attributes.
180
+
We also set `secure` and `httponly` on the session cookie by default as a hardening measure. If Gateway API later adds these as fields with different defaults, we’ll treat any change in behavior as an experimental-API breaking change. TThis will be documented in the Session Persistence guide, along with the limitations of these directives, and upgrade guidance will be provided so users can explicitly configure these cookie attributes.
181
181
182
182
### Edge Cases
183
183
184
-
- If both Kubernetes Service-level session affinity and Gateway API sessionPersistence are configured for the same traffic, the route MUST be rejected, with a status condition explaining that the two mechanisms are incompatible.
184
+
- If an implementation routes through Service IPs, any Gateway-level session persistence must be rejected when Service-level session affinity is enabled. In our case, the data plane routes directly to pod IPs, so Service affinity does not interfere with session persistence between the gateway and backends.
185
185
- For traffic-splitting configurations, if cookie-based session persistence is enabled, sessions must remain pinned consistently across the split backends.
0 commit comments